1 .\" This manpage has been automatically generated by docbook2man-spec
2 .\" from a DocBook document. docbook2man-spec can be found at:
3 .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
4 .\" Please send any bug reports, improvements, comments, patches,
5 .\" etc. to Steve Cheng <steve@ggi-project.org>.
6 .TH "SMB.CONF" "5" "09 October 2002" "" ""
8 smb.conf \- The configuration file for the Samba suite
11 The \fIsmb.conf\fR file is a configuration
12 file for the Samba suite. \fIsmb.conf\fR contains
13 runtime configuration information for the Samba programs. The
14 \fIsmb.conf\fR file is designed to be configured and
15 administered by the \fBswat(8)\fR
16 program. The complete description of the file format and
17 possible parameters held within are here for reference purposes.
20 The file consists of sections and parameters. A section
21 begins with the name of the section in square brackets and continues
22 until the next section begins. Sections contain parameters of the
27 The file is line-based - that is, each newline-terminated
28 line represents either a comment, a section name or a parameter.
30 Section and parameter names are not case sensitive.
32 Only the first equals sign in a parameter is significant.
33 Whitespace before or after the first equals sign is discarded.
34 Leading, trailing and internal whitespace in section and parameter
35 names is irrelevant. Leading and trailing whitespace in a parameter
36 value is discarded. Internal whitespace within a parameter value
39 Any line beginning with a semicolon (';') or a hash ('#')
40 character is ignored, as are lines containing only whitespace.
42 Any line ending in a '\\' is continued
43 on the next line in the customary UNIX fashion.
45 The values following the equals sign in parameters are all
46 either a string (no quotes needed) or a boolean, which may be given
47 as yes/no, 0/1 or true/false. Case is not significant in boolean
48 values, but is preserved in string values. Some items such as
49 create modes are numeric.
50 .SH "SECTION DESCRIPTIONS"
52 Each section in the configuration file (except for the
53 [global] section) describes a shared resource (known
54 as a "share"). The section name is the name of the
55 shared resource and the parameters within the section define
56 the shares attributes.
58 There are three special sections, [global],
59 [homes] and [printers], which are
60 described under \fBspecial sections\fR. The
61 following notes apply to ordinary section descriptions.
63 A share consists of a directory to which access is being
64 given plus a description of the access rights which are granted
65 to the user of the service. Some housekeeping options are
68 Sections are either file share services (used by the
69 client as an extension of their native file systems) or
70 printable services (used by the client to access print services
71 on the host running the server).
73 Sections may be designated \fBguest\fR services,
74 in which case no password is required to access them. A specified
75 UNIX \fBguest account\fR is used to define access
76 privileges in this case.
78 Sections other than guest services will require a password
79 to access them. The client provides the username. As older clients
80 only provide passwords and not usernames, you may specify a list
81 of usernames to check against the password using the "user ="
82 option in the share definition. For modern clients such as
83 Windows 95/98/ME/NT/2000, this should not be necessary.
85 Note that the access rights granted by the server are
86 masked by the access rights granted to the specified or guest
87 UNIX user by the host system. The server does not grant more
88 access than the host system grants.
90 The following sample section defines a file space share.
91 The user has write access to the path \fI/home/bar\fR.
92 The share is accessed via the share name "foo":
103 The following sample section defines a printable share.
104 The share is readonly, but printable. That is, the only write
105 access permitted is via calls to open, write to and close a
106 spool file. The \fBguest ok\fR parameter means
107 access will be permitted as the default guest user (specified
112 path = /usr/spool/public
120 .SH "SPECIAL SECTIONS"
121 .SS "THE GLOBAL SECTION"
123 parameters in this section apply to the server
124 as a whole, or are defaults for sections which do not
125 specifically define certain items. See the notes
126 under PARAMETERS for more information.
127 .SS "THE HOMES SECTION"
129 If a section called homes is included in the
130 configuration file, services connecting clients to their
131 home directories can be created on the fly by the server.
133 When the connection request is made, the existing
134 sections are scanned. If a match is found, it is used. If no
135 match is found, the requested section name is treated as a
136 user name and looked up in the local password file. If the
137 name exists and the correct password has been given, a share is
138 created by cloning the [homes] section.
140 Some modifications are then made to the newly
144 The share name is changed from homes to
145 the located username.
148 If no path was given, the path is set to
149 the user's home directory.
151 If you decide to use a \fBpath =\fR line
152 in your [homes] section then you may find it useful
153 to use the %S macro. For example :
156 \fBpath = /data/pchome/%S\fR
159 would be useful if you have different home directories
160 for your PCs than for UNIX access.
163 This is a fast and simple way to give a large number
164 of clients access to their home directories with a minimum
168 A similar process occurs if the requested section
169 name is "homes", except that the share name is not
170 changed to that of the requesting user. This method of using
171 the [homes] section works well if different users share
175 The [homes] section can specify all the parameters
176 a normal service section can specify, though some make more sense
177 than others. The following is a typical and suitable [homes]
189 An important point is that if guest access is specified
190 in the [homes] section, all home directories will be
191 visible to all clients \fBwithout a password\fR.
192 In the very unlikely event that this is actually desirable, it
193 would be wise to also specify \fBread only
197 Note that the \fBbrowseable\fR flag for
198 auto home directories will be inherited from the global browseable
199 flag, not the [homes] browseable flag. This is useful as
200 it means setting \fBbrowseable = no\fR in
201 the [homes] section will hide the [homes] share but make
202 any auto home directories visible.
204 .SS "THE PRINTERS SECTION"
206 This section works like [homes],
209 If a [printers] section occurs in the
210 configuration file, users are able to connect to any printer
211 specified in the local host's printcap file.
213 When a connection request is made, the existing sections
214 are scanned. If a match is found, it is used. If no match is found,
215 but a [homes] section exists, it is used as described
216 above. Otherwise, the requested section name is treated as a
217 printer name and the appropriate printcap file is scanned to see
218 if the requested section name is a valid printer share name. If
219 a match is found, a new printer share is created by cloning
220 the [printers] section.
222 A few modifications are then made to the newly created
226 The share name is set to the located printer
230 If no printer name was given, the printer name
231 is set to the located printer name
234 If the share does not permit guest access and
235 no username was given, the username is set to the located
238 Note that the [printers] service MUST be
239 printable - if you specify otherwise, the server will refuse
240 to load the configuration file.
243 Typically the path specified would be that of a
244 world-writeable spool directory with the sticky bit set on
245 it. A typical [printers] entry would look like
251 path = /usr/spool/public
258 All aliases given for a printer in the printcap file
259 are legitimate printer names as far as the server is concerned.
260 If your printing subsystem doesn't work like that, you will have
261 to set up a pseudo-printcap. This is a file consisting of one or
262 more lines like this:
266 alias|alias|alias|alias...
272 Each alias should be an acceptable printer name for
273 your printing subsystem. In the [global] section, specify
274 the new file as your printcap. The server will then only recognize
275 names found in your pseudo-printcap, which of course can contain
276 whatever aliases you like. The same technique could be used
277 simply to limit access to a subset of your local printers.
280 An alias, by the way, is defined as any component of the
281 first entry of a printcap record. Records are separated by newlines,
282 components (if there are more than one) are separated by vertical
286 NOTE: On SYSV systems which use lpstat to determine what
287 printers are defined on the system you may be able to use
288 "printcap name = lpstat" to automatically obtain a list
289 of printers. See the "printcap name" option
294 parameters define the specific attributes of sections.
296 Some parameters are specific to the [global] section
297 (e.g., \fBsecurity\fR). Some parameters are usable
298 in all sections (e.g., \fBcreate mode\fR). All others
299 are permissible only in normal sections. For the purposes of the
300 following descriptions the [homes] and [printers]
301 sections will be considered normal. The letter \fBG\fR
302 in parentheses indicates that a parameter is specific to the
303 [global] section. The letter \fBS\fR
304 indicates that a parameter can be specified in a service specific
305 section. Note that all \fBS\fR parameters can also be specified in
306 the [global] section - in which case they will define
307 the default behavior for all services.
309 parameters are arranged here in alphabetical order - this may
310 not create best bedfellows, but at least you can find them! Where
311 there are synonyms, the preferred synonym is described, others refer
312 to the preferred synonym.
313 .SH "VARIABLE SUBSTITUTIONS"
315 Many of the strings that are settable in the config file
316 can take substitutions. For example the option "path =
317 /tmp/%u" would be interpreted as "path =
318 /tmp/john" if the user connected with the username john.
320 These substitutions are mostly noted in the descriptions below,
321 but there are some general substitutions which apply whenever they
322 might be relevant. These are:
325 the name of the current service, if any.
328 the root directory of the current service,
332 user name of the current service, if any.
335 primary group name of %u.
338 session user name (the user name that the client
339 wanted, not necessarily the same as the one they got).
342 primary group name of %U.
345 the home directory of the user given
352 the Internet hostname that Samba is running
356 the NetBIOS name of the client machine
360 the NetBIOS name of the server. This allows you
361 to change your config based on what the client calls you. Your
362 server can have a "dual personality".
364 Note that this paramater is not available when Samba listens
365 on port 445, as clients no longer send this information
368 the Internet name of the client machine.
371 the name of your NIS home directory server.
372 This is obtained from your NIS auto.map entry. If you have
373 not compiled Samba with the \fB--with-automount\fR
374 option then this value will be the same as %L.
377 the path of the service's home directory,
378 obtained from your NIS auto.map entry. The NIS auto.map entry
379 is split up as "%N:%p".
382 the selected protocol level after
383 protocol negotiation. It can be one of CORE, COREPLUS,
384 LANMAN1, LANMAN2 or NT1.
387 The process id of the current server
391 the architecture of the remote
392 machine. Only some are recognized, and those may not be
393 100% reliable. It currently recognizes Samba, WfWg, Win95,
394 WinNT and Win2k. Anything else will be known as
395 "UNKNOWN". If it gets it wrong then sending a level
396 3 log to samba@samba.org
397 <URL:mailto:samba@samba.org> should allow it to be fixed.
400 The IP address of the client machine.
403 the current date and time.
405 \fB%$(\fIenvvar\fB)\fR
406 The value of the environment variable
409 There are some quite creative things that can be done
410 with these substitutions and other smb.conf options.
414 Samba supports "name mangling" so that DOS and
415 Windows clients can use files that don't conform to the 8.3 format.
416 It can also be set to adjust the case of 8.3 format filenames.
418 There are several options that control the way mangling is
419 performed, and they are grouped here rather than listed separately.
420 For the defaults look at the output of the testparm program.
422 All of these options can be set separately for each service
423 (or globally, of course).
427 \fBmangling method\fR
428 controls the algorithm used for the generating
429 the mangled names. Can take two different values, "hash" and
430 "hash2". "hash" is the default and is the algorithm that has been
431 used in Samba for many years. "hash2" is a newer and considered
432 a better algorithm (generates less collisions) in the names.
433 However, many Win32 applications store the
434 mangled names and so changing to the new algorithm must not be done
435 lightly as these applications may break unless reinstalled.
436 New installations of Samba may set the default to hash2.
439 \fBmangle case = yes/no\fR
440 controls if names that have characters that
441 aren't of the "default" case are mangled. For example,
442 if this is yes then a name like "Mail" would be mangled.
445 \fBcase sensitive = yes/no\fR
446 controls whether filenames are case sensitive. If
447 they aren't then Samba must do a filename search and match on passed
448 names. Default \fBno\fR.
450 \fBdefault case = upper/lower\fR
451 controls what the default case is for new
452 filenames. Default \fBlower\fR.
454 \fBpreserve case = yes/no\fR
455 controls if new files are created with the
456 case that the client passes, or if they are forced to be the
457 "default" case. Default \fByes\fR.
459 \fBshort preserve case = yes/no\fR
460 controls if new files which conform to 8.3 syntax,
461 that is all in upper case and of suitable length, are created
462 upper case, or if they are forced to be the "default"
463 case. This option can be use with "preserve case = yes"
464 to permit long filenames to retain their case, while short names
465 are lowercased. Default \fByes\fR.
467 By default, Samba 2.2 has the same semantics as a Windows
468 NT server, in that it is case insensitive but case preserving.
470 .SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
472 There are a number of ways in which a user can connect
473 to a service. The server uses the following steps in determining
474 if it will allow a connection to a specified service. If all the
475 steps fail, then the connection request is rejected. However, if one of the
476 steps succeeds, then the following steps are not checked.
478 If the service is marked "guest only = yes" and the
479 server is running with share-level security ("security = share")
480 then steps 1 to 5 are skipped.
482 If the client has passed a username/password
483 pair and that username/password pair is validated by the UNIX
484 system's password programs then the connection is made as that
485 username. Note that this includes the
486 \\\\server\\service%\fIusername\fR method of passing
489 If the client has previously registered a username
490 with the system and now supplies a correct password for that
491 username then the connection is allowed.
493 The client's NetBIOS name and any previously
494 used user names are checked against the supplied password, if
495 they match then the connection is allowed as the corresponding
498 If the client has previously validated a
499 username/password pair with the server and the client has passed
500 the validation token then that username is used.
502 If a "user = " field is given in the
503 \fIsmb.conf\fR file for the service and the client
504 has supplied a password, and that password matches (according to
505 the UNIX system's password checking) with one of the usernames
506 from the "user =" field then the connection is made as
507 the username in the "user =" line. If one
508 of the username in the "user =" list begins with a
509 \&'@' then that name expands to a list of names in
510 the group of the same name.
512 If the service is a guest service then a
513 connection is made as the username given in the "guest
514 account =" for the service, irrespective of the
516 .SH "COMPLETE LIST OF GLOBAL PARAMETERS"
518 Here is a list of all global parameters. See the section of
519 each parameter for details. Note that some are synonyms.
522 \fIadd printer command\fR
525 \fIadd share command\fR
528 \fIadd user script\fR
531 \fIallow trusted domains\fR
537 \fIannounce version\fR
543 \fIbind interfaces only\fR
549 \fIchange notify timeout\fR
552 \fIchange share command\fR
558 \fIclient code page\fR
561 \fIcode page directory\fR
573 \fIdebug hires timestamp\fR
579 \fIdebug timestamp\fR
591 \fIdefault service\fR
594 \fIdelete printer command\fR
597 \fIdelete share command\fR
600 \fIdelete user script\fR
606 \fIdisable spoolss\fR
612 \fIdomain admin group\fR
615 \fIdomain guest group\fR
624 \fIencrypt passwords\fR
627 \fIenhanced browsing\fR
630 \fIenumports command\fR
636 \fIhide local users\fR
639 \fIhide unreadable\fR
663 \fIlarge readwrite\fR
702 \fIlock spin count\fR
732 \fImachine password timeout\fR
738 \fImangling method\fR
759 \fImax smbd processes\fR
771 \fImessage command\fR
774 \fImin passwd length\fR
777 \fImin password length\fR
786 \fIname resolve order\fR
789 \fInetbios aliases\fR
801 \fInt pipe support\fR
807 \fInt status support\fR
813 \fIobey pam restrictions\fR
816 \fIoplock break wait time\fR
825 \fIpam password change\fR
834 \fIpasswd chat debug\fR
843 \fIpassword server\fR
846 \fIprefered master\fR
849 \fIpreferred master\fR
861 \fIprinter driver file\fR
876 \fIremote announce\fR
879 \fIremote browse sync\fR
882 \fIrestrict anonymous\fR
900 \fIshow add printer wizard\fR
903 \fIsmb passwd file\fR
912 \fIsource environment\fR
921 \fIssl CA certFile\fR
927 \fIssl client cert\fR
933 \fIssl compatibility\fR
939 \fIssl entropy bytes\fR
942 \fIssl entropy file\fR
948 \fIssl hosts resign\fR
951 \fIssl require clientcert\fR
954 \fIssl require servercert\fR
957 \fIssl server cert\fR
969 \fIstat cache size\fR
981 \fItemplate homedir\fR
996 \fItotal print jobs\fR
999 \fIunix extensions\fR
1002 \fIunix password sync\fR
1005 \fIupdate encrypted\fR
1014 \fIusername level\fR
1023 \fIutmp directory\fR
1029 \fIwinbind cache time\fR
1032 \fIwinbind enum users\fR
1035 \fIwinbind enum groups\fR
1041 \fIwinbind separator\fR
1047 \fIwinbind use default domain\fR
1066 .SH "COMPLETE LIST OF SERVICE PARAMETERS"
1068 Here is a list of all service parameters. See the section on
1069 each parameter for details. Note that some are synonyms.
1081 \fIblocking locks\fR
1093 \fIcase sensitive\fR
1117 \fIdefault devmode\fR
1120 \fIdelete readonly\fR
1123 \fIdelete veto files\fR
1132 \fIdirectory mask\fR
1135 \fIdirectory mode\fR
1138 \fIdirectory security mask\fR
1147 \fIdos filetime resolution\fR
1156 \fIfake directory create times\fR
1162 \fIfollow symlinks\fR
1165 \fIforce create mode\fR
1168 \fIforce directory mode\fR
1171 \fIforce directory security mode\fR
1177 \fIforce security mode\fR
1180 \fIforce unknown acl user\fR
1201 \fIhide dot files\fR
1219 \fIinherit permissions\fR
1225 \fIlevel2 oplocks\fR
1231 \fIlppause command\fR
1237 \fIlpresume command\fR
1270 \fImax connections\fR
1273 \fImax print jobs\fR
1276 \fImin print space\fR
1282 \fInt acl support\fR
1291 \fIoplock contention limit\fR
1333 \fIprinter driver\fR
1336 \fIprinter driver location\fR
1351 \fIqueuepause command\fR
1354 \fIqueueresume command\fR
1369 \fIroot preexec close\fR
1381 \fIshort preserve case\fR
1387 \fIstrict allocate\fR
1390 \fIstrict locking\fR
1399 \fIuse client driver\fR
1420 \fIveto oplock files\fR
1438 \fIwrite cache size\fR
1448 .SH "EXPLANATION OF EACH PARAMETER"
1450 \fBadd printer command (G)\fR
1451 With the introduction of MS-RPC based printing
1452 support for Windows NT/2000 clients in Samba 2.2, The MS Add
1453 Printer Wizard (APW) icon is now also available in the
1454 "Printers..." folder displayed a share listing. The APW
1455 allows for printers to be add remotely to a Samba or Windows
1456 NT/2000 print server.
1458 For a Samba host this means that the printer must be
1459 physically added to the underlying printing system. The \fIadd
1460 printer command\fR defines a script to be run which
1461 will perform the necessary operations for adding the printer
1462 to the print system and to add the appropriate service definition
1463 to the \fIsmb.conf\fR file in order that it can be
1464 shared by \fBsmbd(8)\fR
1467 The \fIadd printer command\fR is
1468 automatically invoked with the following parameter (in
1488 \fIWindows 9x driver location\fR
1491 All parameters are filled in from the PRINTER_INFO_2 structure sent
1492 by the Windows NT/2000 client with one exception. The "Windows 9x
1493 driver location" parameter is included for backwards compatibility
1494 only. The remaining fields in the structure are generated from answers
1495 to the APW questions.
1498 Once the \fIadd printer command\fR has
1499 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to determine if the share defined by the APW
1500 exists. If the sharename is still invalid, then \fBsmbd
1501 \fRwill return an ACCESS_DENIED error to the client.
1504 See also \fI delete printer command\fR, \fIprinting\fR,
1512 Example: \fBaddprinter command = /usr/bin/addprinter
1515 \fBadd share command (G)\fR
1516 Samba 2.2.0 introduced the ability to dynamically
1517 add and delete shares via the Windows NT 4.0 Server Manager. The
1518 \fIadd share command\fR is used to define an
1519 external program or script which will add a new service definition
1520 to \fIsmb.conf\fR. In order to successfully
1521 execute the \fIadd share command\fR, \fBsmbd\fR
1522 requires that the administrator be connected using a root account (i.e.
1525 When executed, \fBsmbd\fR will automatically invoke the
1526 \fIadd share command\fR with four parameters.
1530 \fIconfigFile\fR - the location
1531 of the global \fIsmb.conf\fR file.
1534 \fIshareName\fR - the name of the new
1538 \fIpathName\fR - path to an **existing**
1542 \fIcomment\fR - comment string to associate
1546 This parameter is only used for add file shares. To add printer shares,
1547 see the \fIadd printer
1551 See also \fIchange share
1552 command\fR, \fIdelete share
1559 Example: \fBadd share command = /usr/local/bin/addshare\fR
1562 \fBadd user script (G)\fR
1563 This is the full pathname to a script that will
1564 be run \fBAS ROOT\fR by smbd(8)
1565 under special circumstances described below.
1567 Normally, a Samba server requires that UNIX users are
1568 created for all users accessing files on this server. For sites
1569 that use Windows NT account databases as their primary user database
1570 creating these users and keeping the user list in sync with the
1571 Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users
1572 \fBON DEMAND\fR when a user accesses the Samba server.
1574 In order to use this option, smbd
1575 must \fBNOT\fR be set to \fIsecurity = share\fR
1576 and \fIadd user script\fR
1577 must be set to a full pathname for a script that will create a UNIX
1578 user given one argument of \fI%u\fR, which expands into
1579 the UNIX user name to create.
1581 When the Windows user attempts to access the Samba server,
1582 at login (session setup in the SMB protocol) time, smbd contacts the \fIpassword server\fR and
1583 attempts to authenticate the given user with the given password. If the
1584 authentication succeeds then \fBsmbd\fR
1585 attempts to find a UNIX user in the UNIX password database to map the
1586 Windows user into. If this lookup fails, and \fIadd user script
1587 \fRis set then \fBsmbd\fR will
1588 call the specified script \fBAS ROOT\fR, expanding
1589 any \fI%u\fR argument to be the user name to create.
1591 If this script successfully creates the user then \fBsmbd
1592 \fRwill continue on as though the UNIX user
1593 already existed. In this way, UNIX users are dynamically created to
1594 match existing Windows NT accounts.
1596 See also \fI security\fR, \fIpassword server\fR,
1600 Default: \fBadd user script = <empty string>
1602 Example: \fBadd user script = /usr/local/samba/bin/add_user
1605 \fBadmin users (S)\fR
1606 This is a list of users who will be granted
1607 administrative privileges on the share. This means that they
1608 will do all file operations as the super-user (root).
1610 You should use this option very carefully, as any user in
1611 this list will be able to do anything they like on the share,
1612 irrespective of file permissions.
1614 Default: \fBno admin users\fR
1616 Example: \fBadmin users = jason\fR
1618 \fBallow hosts (S)\fR
1619 Synonym for \fIhosts allow\fR.
1621 \fBallow trusted domains (G)\fR
1622 This option only takes effect when the \fIsecurity\fR option is set to
1624 If it is set to no, then attempts to connect to a resource from
1625 a domain or workgroup other than the one which smbd is running
1626 in will fail, even if that domain is trusted by the remote server
1627 doing the authentication.
1629 This is useful if you only want your Samba server to
1630 serve resources to users in the domain it is a member of. As
1631 an example, suppose that there are two domains DOMA and DOMB. DOMB
1632 is trusted by DOMA, which contains the Samba server. Under normal
1633 circumstances, a user with an account in DOMB can then access the
1634 resources of a UNIX account with the same account name on the
1635 Samba server even if they do not have an account in DOMA. This
1636 can make implementing a security boundary difficult.
1638 Default: \fBallow trusted domains = yes\fR
1640 \fBannounce as (G)\fR
1641 This specifies what type of server
1643 will announce itself as, to a network neighborhood browse
1644 list. By default this is set to Windows NT. The valid options
1645 are : "NT Server" (which can also be written as "NT"),
1646 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
1647 Windows NT Workstation, Windows 95 and Windows for Workgroups
1648 respectively. Do not change this parameter unless you have a
1649 specific need to stop Samba appearing as an NT server as this
1650 may prevent Samba servers from participating as browser servers
1653 Default: \fBannounce as = NT Server\fR
1655 Example: \fBannounce as = Win95\fR
1657 \fBannounce version (G)\fR
1658 This specifies the major and minor version numbers
1659 that nmbd will use when announcing itself as a server. The default
1660 is 4.5. Do not change this parameter unless you have a specific
1661 need to set a Samba server to be a downlevel server.
1663 Default: \fBannounce version = 4.5\fR
1665 Example: \fBannounce version = 2.0\fR
1667 \fBauto services (G)\fR
1668 This is a synonym for the \fIpreload\fR.
1671 This parameter lets you "turn off" a service. If
1672 \fIavailable = no\fR, then \fBALL\fR
1673 attempts to connect to the service will fail. Such failures are
1676 Default: \fBavailable = yes\fR
1678 \fBbind interfaces only (G)\fR
1679 This global parameter allows the Samba admin
1680 to limit what interfaces on a machine will serve SMB requests. If
1681 affects file service smbd(8) and
1682 name service nmbd(8) in slightly
1685 For name service it causes \fBnmbd\fR to bind
1686 to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd
1687 \fRalso binds to the "all addresses" interface (0.0.0.0)
1688 on ports 137 and 138 for the purposes of reading broadcast messages.
1689 If this option is not set then \fBnmbd\fR will service
1690 name requests on all of these sockets. If \fIbind interfaces
1691 only\fR is set then \fBnmbd\fR will check the
1692 source address of any packets coming in on the broadcast sockets
1693 and discard any that don't match the broadcast addresses of the
1694 interfaces in the \fIinterfaces\fR parameter list.
1695 As unicast packets are received on the other sockets it allows
1696 \fBnmbd\fR to refuse to serve names to machines that
1697 send packets that arrive through any interfaces not listed in the
1698 \fIinterfaces\fR list. IP Source address spoofing
1699 does defeat this simple check, however so it must not be used
1700 seriously as a security feature for \fBnmbd\fR.
1702 For file service it causes smbd(8)
1703 to bind only to the interface list given in the interfaces parameter. This restricts the networks that
1704 \fBsmbd\fR will serve to packets coming in those
1705 interfaces. Note that you should not use this parameter for machines
1706 that are serving PPP or other intermittent or non-broadcast network
1707 interfaces as it will not cope with non-permanent interfaces.
1709 If \fIbind interfaces only\fR is set then
1710 unless the network address \fB127.0.0.1\fR is added
1711 to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fR
1712 and \fBswat(8)\fR may
1713 not work as expected due to the reasons covered below.
1715 To change a users SMB password, the \fBsmbpasswd\fR
1716 by default connects to the \fBlocalhost - 127.0.0.1\fR
1717 address as an SMB client to issue the password change request. If
1718 \fIbind interfaces only\fR is set then unless the
1719 network address \fB127.0.0.1\fR is added to the
1720 \fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode.
1721 \fBsmbpasswd\fR can be forced to use the primary IP interface
1722 of the local host by using its \fI-r remote machine\fR
1723 parameter, with \fIremote machine\fR set
1724 to the IP name of the primary interface of the local host.
1726 The \fBswat\fR status page tries to connect with
1727 \fBsmbd\fR and \fBnmbd\fR at the address
1728 \fB127.0.0.1\fR to determine if they are running.
1729 Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show
1730 "not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR
1733 Default: \fBbind interfaces only = no\fR
1735 \fBblock size (S)\fR
1736 This parameter controls the behavior of smbd(8) when reporting disk free sizes.
1737 By default, this reports a disk block size of 1024 bytes.
1739 Changing this parameter may have some effect on the
1740 efficiency of client writes, this is not yet confirmed. This
1741 parameter was added to allow advanced administrators to change
1742 it (usually to a higher value) and test the effect it has on
1743 client write performance without re-compiling the code. As this
1744 is an experimental option it may be removed in a future release.
1746 Changing this option does not change the disk free reporting
1747 size, just the block size unit reported to the client.
1749 Default: \fBblock size = 1024\fR
1751 Example: \fBblock size = 65536\fR
1753 \fBblocking locks (S)\fR
1754 This parameter controls the behavior of smbd(8) when given a request by a client
1755 to obtain a byte range lock on a region of an open file, and the
1756 request has a time limit associated with it.
1758 If this parameter is set and the lock range requested
1759 cannot be immediately satisfied, Samba 2.2 will internally
1760 queue the lock request, and periodically attempt to obtain
1761 the lock until the timeout period expires.
1763 If this parameter is set to no, then
1764 Samba 2.2 will behave as previous versions of Samba would and
1765 will fail the lock request immediately if the lock range
1768 Default: \fBblocking locks = yes\fR
1771 See the \fI browseable\fR.
1773 \fBbrowse list (G)\fR
1774 This controls whether \fBsmbd(8)\fR will serve a browse list to
1775 a client doing a \fBNetServerEnum\fR call. Normally
1776 set to yes. You should never need to change
1779 Default: \fBbrowse list = yes\fR
1781 \fBbrowseable (S)\fR
1782 This controls whether this share is seen in
1783 the list of available shares in a net view and in the browse list.
1785 Default: \fBbrowseable = yes\fR
1787 \fBcase sensitive (S)\fR
1788 See the discussion in the section NAME MANGLING.
1790 Default: \fBcase sensitive = no\fR
1792 \fBcasesignames (S)\fR
1796 \fBchange notify timeout (G)\fR
1797 This SMB allows a client to tell a server to
1798 "watch" a particular directory for any changes and only reply to
1799 the SMB request when a change has occurred. Such constant scanning of
1800 a directory is expensive under UNIX, hence an \fBsmbd(8)\fR daemon only performs such a scan
1801 on each requested directory once every \fIchange notify
1804 Default: \fBchange notify timeout = 60\fR
1806 Example: \fBchange notify timeout = 300\fR
1808 Would change the scan time to every 5 minutes.
1810 \fBchange share command (G)\fR
1811 Samba 2.2.0 introduced the ability to dynamically
1812 add and delete shares via the Windows NT 4.0 Server Manager. The
1813 \fIchange share command\fR is used to define an
1814 external program or script which will modify an existing service definition
1815 in \fIsmb.conf\fR. In order to successfully
1816 execute the \fIchange share command\fR, \fBsmbd\fR
1817 requires that the administrator be connected using a root account (i.e.
1820 When executed, \fBsmbd\fR will automatically invoke the
1821 \fIchange share command\fR with four parameters.
1825 \fIconfigFile\fR - the location
1826 of the global \fIsmb.conf\fR file.
1829 \fIshareName\fR - the name of the new
1833 \fIpathName\fR - path to an **existing**
1837 \fIcomment\fR - comment string to associate
1841 This parameter is only used modify existing file shares definitions. To modify
1842 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
1845 See also \fIadd share
1846 command\fR, \fIdelete
1853 Example: \fBchange share command = /usr/local/bin/addshare\fR
1856 \fBcharacter set (G)\fR
1857 This allows smbd to map incoming filenames
1858 from a DOS Code page (see the client
1859 code page parameter) to several built in UNIX character sets.
1860 The built in code page translations are:
1864 ISO8859-1 : Western European
1865 UNIX character set. The parameter \fIclient code page\fR
1866 \fBMUST\fR be set to code page 850 if the
1867 \fIcharacter set\fR parameter is set to
1868 ISO8859-1 in order for the conversion to the
1869 UNIX character set to be done correctly.
1872 ISO8859-2 : Eastern European
1873 UNIX character set. The parameter \fIclient code page
1874 \fR\fBMUST\fR be set to code page 852 if
1875 the \fI character set\fR parameter is set
1876 to ISO8859-2 in order for the conversion
1877 to the UNIX character set to be done correctly.
1880 ISO8859-5 : Russian Cyrillic
1881 UNIX character set. The parameter \fIclient code page
1882 \fR\fBMUST\fR be set to code page
1883 866 if the \fIcharacter set \fR parameter is
1884 set to ISO8859-5 in order for the conversion
1885 to the UNIX character set to be done correctly.
1888 ISO8859-7 : Greek UNIX
1889 character set. The parameter \fIclient code page
1890 \fR\fBMUST\fR be set to code page
1891 737 if the \fIcharacter set\fR parameter is
1892 set to ISO8859-7 in order for the conversion
1893 to the UNIX character set to be done correctly.
1896 KOI8-R : Alternate mapping
1897 for Russian Cyrillic UNIX character set. The parameter
1898 \fIclient code page\fR \fBMUST\fR
1899 be set to code page 866 if the \fIcharacter set\fR
1900 parameter is set to KOI8-R in order for the
1901 conversion to the UNIX character set to be done correctly.
1904 \fBBUG\fR. These MSDOS code page to UNIX character
1905 set mappings should be dynamic, like the loading of MS DOS code pages,
1909 Normally this parameter is not set, meaning no filename
1910 translation is done.
1913 Default: \fBcharacter set = <empty string>\fR
1916 Example: \fBcharacter set = ISO8859-1\fR
1919 \fBclient code page (G)\fR
1920 This parameter specifies the DOS code page
1921 that the clients accessing Samba are using. To determine what code
1922 page a Windows or DOS client is using, open a DOS command prompt
1923 and type the command \fBchcp\fR. This will output
1924 the code page. The default for USA MS-DOS, Windows 95, and
1925 Windows NT releases is code page 437. The default for western
1926 European releases of the above operating systems is code page 850.
1928 This parameter tells smbd(8)
1929 which of the \fIcodepage.XXX
1930 \fRfiles to dynamically load on startup. These files,
1931 described more fully in the manual page \fBmake_smbcodepage(1)\fR tell \fB smbd\fR how to map lower to upper case characters to provide
1932 the case insensitivity of filenames that Windows clients expect.
1934 Samba currently ships with the following code page files :
1938 Code Page 437 - MS-DOS Latin US
1941 Code Page 737 - Windows '95 Greek
1944 Code Page 850 - MS-DOS Latin 1
1947 Code Page 852 - MS-DOS Latin 2
1950 Code Page 861 - MS-DOS Icelandic
1953 Code Page 866 - MS-DOS Cyrillic
1956 Code Page 932 - MS-DOS Japanese SJIS
1959 Code Page 936 - MS-DOS Simplified Chinese
1962 Code Page 949 - MS-DOS Korean Hangul
1965 Code Page 950 - MS-DOS Traditional Chinese
1968 Thus this parameter may have any of the values 437, 737, 850, 852,
1969 861, 932, 936, 949, or 950. If you don't find the codepage you need,
1970 read the comments in one of the other codepage files and the
1971 \fBmake_smbcodepage(1)\fR man page and write one. Please
1972 remember to donate it back to the Samba user community.
1975 This parameter co-operates with the \fIvalid
1976 chars\fR parameter in determining what characters are
1977 valid in filenames and how capitalization is done. If you set both
1978 this parameter and the \fIvalid chars\fR parameter
1979 the \fIclient code page\fR parameter
1980 \fBMUST\fR be set before the \fIvalid
1981 chars\fR parameter in the \fIsmb.conf\fR
1982 file. The \fIvalid chars\fR string will then
1983 augment the character settings in the \fIclient code page\fR
1987 If not set, \fIclient code page\fR defaults
1992 chars\fR, \fIcode page directory\fR
1995 Default: \fBclient code page = 850\fR
1998 Example: \fBclient code page = 936\fR
2001 \fBcode page directory (G)\fR
2002 Define the location of the various client code page
2008 Default: \fBcode page directory = ${prefix}/lib/codepages
2010 Example: \fBcode page directory = /usr/share/samba/codepages
2012 \fBcoding system (G)\fR
2013 This parameter is used to determine how incoming
2014 Shift-JIS Japanese characters are mapped from the incoming \fIclient code page\fR
2015 used by the client, into file names in the UNIX filesystem.
2016 Only useful if \fIclient code page\fR is set to
2017 932 (Japanese Shift-JIS). The options are :
2021 SJIS - Shift-JIS. Does no
2022 conversion of the incoming filename.
2025 JIS8, J8BB, J8BH, J8@B,
2026 J8@J, J8@H - Convert from incoming Shift-JIS to eight
2027 bit JIS code with different shift-in, shift out codes.
2030 JIS7, J7BB, J7BH, J7@B, J7@J,
2031 J7@H - Convert from incoming Shift-JIS to seven bit
2032 JIS code with different shift-in, shift out codes.
2035 JUNET, JUBB, JUBH, JU@B, JU@J, JU@H
2036 - Convert from incoming Shift-JIS to JUNET code with different shift-in,
2040 EUC - Convert an incoming
2041 Shift-JIS character to EUC code.
2044 HEX - Convert an incoming
2045 Shift-JIS character to a 3 byte hex representation, i.e.
2049 CAP - Convert an incoming
2050 Shift-JIS character to the 3 byte hex representation used by
2051 the Columbia AppleTalk Program (CAP), i.e. :AB.
2052 This is used for compatibility between Samba and CAP.
2055 Default: \fBcoding system = <empty value>\fR
2059 This is a text field that is seen next to a share
2060 when a client does a queries the server, either via the network
2061 neighborhood or via \fBnet view\fR to list what shares
2064 If you want to set the string that is displayed next to the
2065 machine name then see the \fI server string\fR parameter.
2067 Default: \fBNo comment string\fR
2069 Example: \fBcomment = Fred's Files\fR
2071 \fBconfig file (G)\fR
2072 This allows you to override the config file
2073 to use, instead of the default (usually \fIsmb.conf\fR).
2074 There is a chicken and egg problem here as this option is set
2077 For this reason, if the name of the config file has changed
2078 when the parameters are loaded then it will reload them from
2079 the new config file.
2081 This option takes the usual substitutions, which can
2084 If the config file doesn't exist then it won't be loaded
2085 (allowing you to special case the config files of just a few
2088 Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m
2091 This parameter allows you to "clone" service
2092 entries. The specified service is simply duplicated under the
2093 current service's name. Any parameters specified in the current
2094 section will override those in the section being copied.
2096 This feature lets you set up a 'template' service and
2097 create similar services easily. Note that the service being
2098 copied must occur earlier in the configuration file than the
2099 service doing the copying.
2101 Default: \fBno value\fR
2103 Example: \fBcopy = otherservice\fR
2105 \fBcreate mask (S)\fR
2106 A synonym for this parameter is
2110 When a file is created, the necessary permissions are
2111 calculated according to the mapping from DOS modes to UNIX
2112 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
2113 with this parameter. This parameter may be thought of as a bit-wise
2114 MASK for the UNIX modes of a file. Any bit \fBnot\fR
2115 set here will be removed from the modes set on a file when it is
2118 The default value of this parameter removes the
2119 \&'group' and 'other' write and execute bits from the UNIX modes.
2121 Following this Samba will bit-wise 'OR' the UNIX mode created
2122 from this parameter with the value of the \fIforce create mode\fR
2123 parameter which is set to 000 by default.
2125 This parameter does not affect directory modes. See the
2126 parameter \fIdirectory mode
2129 See also the \fIforce
2130 create mode\fR parameter for forcing particular mode
2131 bits to be set on created files. See also the \fIdirectory mode\fR parameter for masking
2132 mode bits on created directories. See also the \fIinherit permissions\fR parameter.
2134 Note that this parameter does not apply to permissions
2135 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2136 a mask on access control lists also, they need to set the \fIsecurity mask\fR.
2138 Default: \fBcreate mask = 0744\fR
2140 Example: \fBcreate mask = 0775\fR
2142 \fBcreate mode (S)\fR
2143 This is a synonym for \fI create mask\fR.
2145 \fBcsc policy (S)\fR
2146 This stands for \fBclient-side caching
2147 policy\fR, and specifies how clients capable of offline
2148 caching will cache the files in the share. The valid values
2149 are: manual, documents, programs, disable.
2151 These values correspond to those used on Windows
2154 For example, shares containing roaming profiles can have
2155 offline caching disabled using \fBcsc policy = disable
2158 Default: \fBcsc policy = manual\fR
2160 Example: \fBcsc policy = programs\fR
2163 The value of the parameter (a decimal integer)
2164 represents the number of minutes of inactivity before a connection
2165 is considered dead, and it is disconnected. The deadtime only takes
2166 effect if the number of open files is zero.
2168 This is useful to stop a server's resources being
2169 exhausted by a large number of inactive connections.
2171 Most clients have an auto-reconnect feature when a
2172 connection is broken so in most cases this parameter should be
2173 transparent to users.
2175 Using this parameter with a timeout of a few minutes
2176 is recommended for most systems.
2178 A deadtime of zero indicates that no auto-disconnection
2179 should be performed.
2181 Default: \fBdeadtime = 0\fR
2183 Example: \fBdeadtime = 15\fR
2185 \fBdebug hires timestamp (G)\fR
2186 Sometimes the timestamps in the log messages
2187 are needed with a resolution of higher that seconds, this
2188 boolean parameter adds microsecond resolution to the timestamp
2189 message header when turned on.
2191 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2194 Default: \fBdebug hires timestamp = no\fR
2197 When using only one log file for more then one
2198 forked smbdprocess there may be hard to follow which process
2199 outputs which message. This boolean parameter is adds the process-id
2200 to the timestamp message headers in the logfile when turned on.
2202 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2205 Default: \fBdebug pid = no\fR
2207 \fBdebug timestamp (G)\fR
2208 Samba 2.2 debug log messages are timestamped
2209 by default. If you are running at a high \fIdebug level\fR these timestamps
2210 can be distracting. This boolean parameter allows timestamping
2213 Default: \fBdebug timestamp = yes\fR
2216 Samba is sometimes run as root and sometime
2217 run as the connected user, this boolean parameter inserts the
2218 current euid, egid, uid and gid to the timestamp message headers
2219 in the log file if turned on.
2221 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2224 Default: \fBdebug uid = no\fR
2226 \fBdebuglevel (G)\fR
2227 Synonym for \fI log level\fR.
2230 A synonym for \fI default service\fR.
2232 \fBdefault case (S)\fR
2233 See the section on NAME MANGLING. Also note the \fIshort preserve case\fR parameter.
2235 Default: \fBdefault case = lower\fR
2237 \fBdefault devmode (S)\fR
2238 This parameter is only applicable to printable services. When smbd is serving
2239 Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
2240 server has a Device Mode which defines things such as paper size and
2241 orientation and duplex settings. The device mode can only correctly be
2242 generated by the printer driver itself (which can only be executed on a
2243 Win32 platform). Because smbd is unable to execute the driver code
2244 to generate the device mode, the default behavior is to set this field
2247 Most problems with serving printer drivers to Windows NT/2k/XP clients
2248 can be traced to a problem with the generated device mode. Certain drivers
2249 will do things such as crashing the client's Explorer.exe with a NULL devmode.
2250 However, other printer drivers can cause the client's spooler service
2251 (spoolsv.exe) to die if the devmode was not created by the driver itself
2252 (i.e. smbd generates a default devmode).
2254 This parameter should be used with care and tested with the printer
2255 driver in question. It is better to leave the device mode to NULL
2256 and let the Windows client set the correct values. Because drivers do not
2257 do this all the time, setting \fBdefault devmode = yes\fR
2258 will instruct smbd to generate a default one.
2260 For more information on Windows NT/2k printing and Device Modes,
2261 see the MSDN documentation <URL:http://msdn.microsoft.com/>.
2263 Default: \fBdefault devmode = no\fR
2265 \fBdefault service (G)\fR
2266 This parameter specifies the name of a service
2267 which will be connected to if the service actually requested cannot
2268 be found. Note that the square brackets are \fBNOT\fR
2269 given in the parameter value (see example below).
2271 There is no default value for this parameter. If this
2272 parameter is not given, attempting to connect to a nonexistent
2273 service results in an error.
2275 Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service.
2277 Also note that the apparent service name will be changed
2278 to equal that of the requested service, this is very useful as it
2279 allows you to use macros like \fI%S\fR to make
2282 Note also that any "_" characters in the name of the service
2283 used in the default service will get mapped to a "/". This allows for
2291 default service = pub
2299 \fBdelete printer command (G)\fR
2300 With the introduction of MS-RPC based printer
2301 support for Windows NT/2000 clients in Samba 2.2, it is now
2302 possible to delete printer at run time by issuing the
2303 DeletePrinter() RPC call.
2305 For a Samba host this means that the printer must be
2306 physically deleted from underlying printing system. The \fI deleteprinter command\fR defines a script to be run which
2307 will perform the necessary operations for removing the printer
2308 from the print system and from \fIsmb.conf\fR.
2310 The \fIdelete printer command\fR is
2311 automatically called with only one parameter: \fI "printer name"\fR.
2313 Once the \fIdelete printer command\fR has
2314 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to associated printer no longer exists.
2315 If the sharename is still valid, then \fBsmbd
2316 \fRwill return an ACCESS_DENIED error to the client.
2318 See also \fI add printer command\fR, \fIprinting\fR,
2324 Example: \fBdeleteprinter command = /usr/bin/removeprinter
2326 \fBdelete readonly (S)\fR
2327 This parameter allows readonly files to be deleted.
2328 This is not normal DOS semantics, but is allowed by UNIX.
2330 This option may be useful for running applications such
2331 as rcs, where UNIX file ownership prevents changing file
2332 permissions, and DOS semantics prevent deletion of a read only file.
2334 Default: \fBdelete readonly = no\fR
2336 \fBdelete share command (G)\fR
2337 Samba 2.2.0 introduced the ability to dynamically
2338 add and delete shares via the Windows NT 4.0 Server Manager. The
2339 \fIdelete share command\fR is used to define an
2340 external program or script which will remove an existing service
2341 definition from \fIsmb.conf\fR. In order to successfully
2342 execute the \fIdelete share command\fR, \fBsmbd\fR
2343 requires that the administrator be connected using a root account (i.e.
2346 When executed, \fBsmbd\fR will automatically invoke the
2347 \fIdelete share command\fR with two parameters.
2351 \fIconfigFile\fR - the location
2352 of the global \fIsmb.conf\fR file.
2355 \fIshareName\fR - the name of
2356 the existing service.
2359 This parameter is only used to remove file shares. To delete printer shares,
2360 see the \fIdelete printer
2364 See also \fIadd share
2365 command\fR, \fIchange
2372 Example: \fBdelete share command = /usr/local/bin/delshare\fR
2375 \fBdelete user script (G)\fR
2376 This is the full pathname to a script that will
2377 be run \fBAS ROOT\fR by \fBsmbd(8)\fR under special circumstances
2380 Normally, a Samba server requires that UNIX users are
2381 created for all users accessing files on this server. For sites
2382 that use Windows NT account databases as their primary user database
2383 creating these users and keeping the user list in sync with the
2384 Windows NT PDC is an onerous task. This option allows \fB smbd\fR to delete the required UNIX users \fBON
2385 DEMAND\fR when a user accesses the Samba server and the
2386 Windows NT user no longer exists.
2388 In order to use this option, \fBsmbd\fR must be
2389 set to \fIsecurity = domain\fR or \fIsecurity =
2390 user\fR and \fIdelete user script\fR
2391 must be set to a full pathname for a script
2392 that will delete a UNIX user given one argument of \fI%u\fR,
2393 which expands into the UNIX user name to delete.
2395 When the Windows user attempts to access the Samba server,
2396 at \fBlogin\fR (session setup in the SMB protocol)
2397 time, \fBsmbd\fR contacts the \fIpassword server\fR and attempts to authenticate
2398 the given user with the given password. If the authentication fails
2399 with the specific Domain error code meaning that the user no longer
2400 exists then \fBsmbd\fR attempts to find a UNIX user in
2401 the UNIX password database that matches the Windows user account. If
2402 this lookup succeeds, and \fIdelete user script\fR is
2403 set then \fBsmbd\fR will all the specified script
2404 \fBAS ROOT\fR, expanding any \fI%u\fR
2405 argument to be the user name to delete.
2407 This script should delete the given UNIX username. In this way,
2408 UNIX users are dynamically deleted to match existing Windows NT
2411 See also security = domain,
2412 \fIpassword server\fR
2413 , \fIadd user script\fR
2416 Default: \fBdelete user script = <empty string>
2418 Example: \fBdelete user script = /usr/local/samba/bin/del_user
2421 \fBdelete veto files (S)\fR
2422 This option is used when Samba is attempting to
2423 delete a directory that contains one or more vetoed directories
2424 (see the \fIveto files\fR
2425 option). If this option is set to no (the default) then if a vetoed
2426 directory contains any non-vetoed files or directories then the
2427 directory delete will fail. This is usually what you want.
2429 If this option is set to yes, then Samba
2430 will attempt to recursively delete any files and directories within
2431 the vetoed directory. This can be useful for integration with file
2432 serving systems such as NetAtalk which create meta-files within
2433 directories you might normally veto DOS/Windows users from seeing
2434 (e.g. \fI.AppleDouble\fR)
2436 Setting \fBdelete veto files = yes\fR allows these
2437 directories to be transparently deleted when the parent directory
2438 is deleted (so long as the user has permissions to do so).
2440 See also the \fIveto
2443 Default: \fBdelete veto files = no\fR
2445 \fBdeny hosts (S)\fR
2446 Synonym for \fIhosts
2449 \fBdfree command (G)\fR
2450 The \fIdfree command\fR setting should
2451 only be used on systems where a problem occurs with the internal
2452 disk space calculations. This has been known to happen with Ultrix,
2453 but may occur with other operating systems. The symptom that was
2454 seen was an error of "Abort Retry Ignore" at the end of each
2457 This setting allows the replacement of the internal routines to
2458 calculate the total disk space and amount available with an external
2459 routine. The example below gives a possible script that might fulfill
2462 The external program will be passed a single parameter indicating
2463 a directory in the filesystem being queried. This will typically consist
2464 of the string \fI./\fR. The script should return two
2465 integers in ASCII. The first should be the total disk space in blocks,
2466 and the second should be the number of available blocks. An optional
2467 third return value can give the block size in bytes. The default
2468 blocksize is 1024 bytes.
2470 Note: Your script should \fBNOT\fR be setuid or
2471 setgid and should be owned by (and writeable only by) root!
2473 Default: \fBBy default internal routines for
2474 determining the disk capacity and remaining space will be used.
2476 Example: \fBdfree command = /usr/local/samba/bin/dfree
2478 Where the script dfree (which must be made executable) could be:
2484 df $1 | tail -1 | awk '{print $2" "$4}'
2489 or perhaps (on Sys V based systems):
2495 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
2500 Note that you may have to replace the command names
2501 with full path names on some systems.
2507 \fBdirectory mask (S)\fR
2508 This parameter is the octal modes which are
2509 used when converting DOS modes to UNIX modes when creating UNIX
2512 When a directory is created, the necessary permissions are
2513 calculated according to the mapping from DOS modes to UNIX permissions,
2514 and the resulting UNIX mode is then bit-wise 'AND'ed with this
2515 parameter. This parameter may be thought of as a bit-wise MASK for
2516 the UNIX modes of a directory. Any bit \fBnot\fR set
2517 here will be removed from the modes set on a directory when it is
2520 The default value of this parameter removes the 'group'
2521 and 'other' write bits from the UNIX mode, allowing only the
2522 user who owns the directory to modify it.
2524 Following this Samba will bit-wise 'OR' the UNIX mode
2525 created from this parameter with the value of the \fIforce directory mode
2526 \fRparameter. This parameter is set to 000 by
2527 default (i.e. no extra mode bits are added).
2529 Note that this parameter does not apply to permissions
2530 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2531 a mask on access control lists also, they need to set the \fIdirectory security mask\fR.
2534 directory mode\fR parameter to cause particular mode
2535 bits to always be set on created directories.
2537 See also the \fIcreate mode
2538 \fRparameter for masking mode bits on created files,
2539 and the \fIdirectory
2540 security mask\fR parameter.
2542 Also refer to the \fI inherit permissions\fR parameter.
2544 Default: \fBdirectory mask = 0755\fR
2546 Example: \fBdirectory mask = 0775\fR
2548 \fBdirectory mode (S)\fR
2549 Synonym for \fI directory mask\fR
2551 \fBdirectory security mask (S)\fR
2552 This parameter controls what UNIX permission bits
2553 can be modified when a Windows NT client is manipulating the UNIX
2554 permission on a directory using the native NT security dialog
2557 This parameter is applied as a mask (AND'ed with) to
2558 the changed permission bits, thus preventing any bits not in
2559 this mask from being modified. Essentially, zero bits in this
2560 mask may be treated as a set of bits the user is not allowed
2563 If not set explicitly this parameter is set to 0777
2564 meaning a user is allowed to modify all the user/group/world
2565 permissions on a directory.
2567 \fBNote\fR that users who can access the
2568 Samba server through other means can easily bypass this restriction,
2569 so it is primarily useful for standalone "appliance" systems.
2570 Administrators of most normal systems will probably want to leave
2571 it as the default of 0777.
2573 See also the \fI force directory security mode\fR, \fIsecurity mask\fR,
2574 \fIforce security mode
2577 Default: \fBdirectory security mask = 0777\fR
2579 Example: \fBdirectory security mask = 0700\fR
2581 \fBdisable spoolss (G)\fR
2582 Enabling this parameter will disables Samba's support
2583 for the SPOOLSS set of MS-RPC's and will yield identical behavior
2584 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using
2585 Lanman style printing commands. Windows 9x/ME will be uneffected by
2586 the parameter. However, this will also disable the ability to upload
2587 printer drivers to a Samba server via the Windows NT Add Printer
2588 Wizard or by using the NT printer properties dialog window. It will
2589 also disable the capability of Windows NT/2000 clients to download
2590 print drivers from the Samba host upon demand.
2591 \fBBe very careful about enabling this parameter.\fR
2593 See also use client driver
2595 Default : \fBdisable spoolss = no\fR
2598 Specifies that nmbd(8)
2599 when acting as a WINS server and finding that a NetBIOS name has not
2600 been registered, should treat the NetBIOS name word-for-word as a DNS
2601 name and do a lookup with the DNS server for that name on behalf of
2602 the name-querying client.
2604 Note that the maximum length for a NetBIOS name is 15
2605 characters, so the DNS name (or DNS alias) can likewise only be
2606 15 characters, maximum.
2608 \fBnmbd\fR spawns a second copy of itself to do the
2609 DNS name lookup requests, as doing a name lookup is a blocking
2612 See also the parameter \fI wins support\fR.
2614 Default: \fBdns proxy = yes\fR
2616 \fBdomain admin group (G)\fR
2617 This parameter is intended as a temporary solution
2618 to enable users to be a member of the "Domain Admins" group when
2619 a Samba host is acting as a PDC. A complete solution will be provided
2620 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2621 Please note that this parameter has a somewhat confusing name. It
2622 accepts a list of usernames and of group names in standard
2623 \fIsmb.conf\fR notation.
2626 guest group\fR, \fIdomain
2629 Default: \fBno domain administrators\fR
2631 Example: \fBdomain admin group = root @wheel\fR
2633 \fBdomain guest group (G)\fR
2634 This parameter is intended as a temporary solution
2635 to enable users to be a member of the "Domain Guests" group when
2636 a Samba host is acting as a PDC. A complete solution will be provided
2637 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2638 Please note that this parameter has a somewhat confusing name. It
2639 accepts a list of usernames and of group names in standard
2640 \fIsmb.conf\fR notation.
2643 admin group\fR, \fIdomain
2646 Default: \fBno domain guests\fR
2648 Example: \fBdomain guest group = nobody @guest\fR
2650 \fBdomain logons (G)\fR
2651 If set to yes, the Samba server will serve
2652 Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also
2653 has limited capability to act as a domain controller for Windows
2654 NT 4 Domains. For more details on setting up this feature see
2655 the Samba-PDC-HOWTO included in the \fIhtmldocs/\fR
2656 directory shipped with the source code.
2658 Default: \fBdomain logons = no\fR
2660 \fBdomain master (G)\fR
2661 Tell \fB nmbd(8)\fR to enable WAN-wide browse list
2662 collation. Setting this option causes \fBnmbd\fR to
2663 claim a special domain specific NetBIOS name that identifies
2664 it as a domain master browser for its given \fIworkgroup\fR. Local master browsers
2665 in the same \fIworkgroup\fR on broadcast-isolated
2666 subnets will give this \fBnmbd\fR their local browse lists,
2667 and then ask \fBsmbd(8)\fR
2668 for a complete copy of the browse list for the whole wide area
2669 network. Browser clients will then contact their local master browser,
2670 and will receive the domain-wide browse list, instead of just the list
2671 for their broadcast-isolated subnet.
2673 Note that Windows NT Primary Domain Controllers expect to be
2674 able to claim this \fIworkgroup\fR specific special
2675 NetBIOS name that identifies them as domain master browsers for
2676 that \fIworkgroup\fR by default (i.e. there is no
2677 way to prevent a Windows NT PDC from attempting to do this). This
2678 means that if this parameter is set and \fBnmbd\fR claims
2679 the special name for a \fIworkgroup\fR before a Windows
2680 NT PDC is able to do so then cross subnet browsing will behave
2681 strangely and may fail.
2683 If \fBdomain logons = yes\fR
2684 , then the default behavior is to enable the \fIdomain
2685 master\fR parameter. If \fIdomain logons\fR is
2686 not enabled (the default setting), then neither will \fIdomain
2687 master\fR be enabled by default.
2689 Default: \fBdomain master = auto\fR
2691 \fBdont descend (S)\fR
2692 There are certain directories on some systems
2693 (e.g., the \fI/proc\fR tree under Linux) that are either not
2694 of interest to clients or are infinitely deep (recursive). This
2695 parameter allows you to specify a comma-delimited list of directories
2696 that the server should always show as empty.
2698 Note that Samba can be very fussy about the exact format
2699 of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR.
2700 Experimentation is the best policy :-)
2702 Default: \fBnone (i.e., all directories are OK
2705 Example: \fBdont descend = /proc,/dev\fR
2707 \fBdos filemode (S)\fR
2708 The default behavior in Samba is to provide
2709 UNIX-like behavior where only the owner of a file/directory is
2710 able to change the permissions on it. However, this behavior
2711 is often confusing to DOS/Windows users. Enabling this parameter
2712 allows a user who has write access to the file (by whatever
2713 means) to modify the permissions on it. Note that a user
2714 belonging to the group owning the file will not be allowed to
2715 change permissions if the group is only granted read access.
2716 Ownership of the file/directory is not changed, only the permissions
2719 Default: \fBdos filemode = no\fR
2721 \fBdos filetime resolution (S)\fR
2722 Under the DOS and Windows FAT filesystem, the finest
2723 granularity on time resolution is two seconds. Setting this parameter
2724 for a share causes Samba to round the reported time down to the
2725 nearest two second boundary when a query call that requires one second
2726 resolution is made to \fBsmbd(8)\fR
2729 This option is mainly used as a compatibility option for Visual
2730 C++ when used against Samba shares. If oplocks are enabled on a
2731 share, Visual C++ uses two different time reading calls to check if a
2732 file has changed since it was last read. One of these calls uses a
2733 one-second granularity, the other uses a two second granularity. As
2734 the two second call rounds any odd second down, then if the file has a
2735 timestamp of an odd number of seconds then the two timestamps will not
2736 match and Visual C++ will keep reporting the file has changed. Setting
2737 this option causes the two timestamps to match, and Visual C++ is
2740 Default: \fBdos filetime resolution = no\fR
2742 \fBdos filetimes (S)\fR
2743 Under DOS and Windows, if a user can write to a
2744 file they can change the timestamp on it. Under POSIX semantics,
2745 only the owner of the file or root may change the timestamp. By
2746 default, Samba runs with POSIX semantics and refuses to change the
2747 timestamp on a file if the user \fBsmbd\fR is acting
2748 on behalf of is not the file owner. Setting this option to yes allows DOS semantics and smbd will change the file
2749 timestamp as DOS requires.
2751 Default: \fBdos filetimes = no\fR
2753 \fBencrypt passwords (G)\fR
2754 This boolean controls whether encrypted passwords
2755 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
2756 above and also Windows 98 will by default expect encrypted passwords
2757 unless a registry entry is changed. To use encrypted passwords in
2758 Samba see the file ENCRYPTION.txt in the Samba documentation
2759 directory \fIdocs/\fR shipped with the source code.
2761 In order for encrypted passwords to work correctly
2762 \fBsmbd(8)\fR must either
2763 have access to a local \fIsmbpasswd(5)
2764 \fR program for information on how to set up
2765 and maintain this file), or set the security = [server|domain] parameter which
2766 causes \fBsmbd\fR to authenticate against another
2769 Default: \fBencrypt passwords = no\fR
2771 \fBenhanced browsing (G)\fR
2772 This option enables a couple of enhancements to
2773 cross-subnet browse propagation that have been added in Samba
2774 but which are not standard in Microsoft implementations.
2776 The first enhancement to browse propagation consists of a regular
2777 wildcard query to a Samba WINS server for all Domain Master Browsers,
2778 followed by a browse synchronization with each of the returned
2779 DMBs. The second enhancement consists of a regular randomised browse
2780 synchronization with all currently known DMBs.
2782 You may wish to disable this option if you have a problem with empty
2783 workgroups not disappearing from browse lists. Due to the restrictions
2784 of the browse protocols these enhancements can cause a empty workgroup
2785 to stay around forever which can be annoying.
2787 In general you should leave this option enabled as it makes
2788 cross-subnet browse propagation much more reliable.
2790 Default: \fBenhanced browsing = yes\fR
2792 \fBenumports command (G)\fR
2793 The concept of a "port" is fairly foreign
2794 to UNIX hosts. Under Windows NT/2000 print servers, a port
2795 is associated with a port monitor and generally takes the form of
2796 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
2797 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
2798 port defined--"Samba Printer Port". Under
2799 Windows NT/2000, all printers must have a valid port name.
2800 If you wish to have a list of ports displayed (\fBsmbd
2801 \fRdoes not use a port name for anything) other than
2802 the default "Samba Printer Port", you
2803 can define \fIenumports command\fR to point to
2804 a program which should generate a list of ports, one per line,
2805 to standard output. This listing will then be used in response
2806 to the level 1 and 2 EnumPorts() RPC.
2808 Default: \fBno enumports command\fR
2810 Example: \fBenumports command = /usr/bin/listports
2813 This is a synonym for \fIpreexec\fR.
2815 \fBfake directory create times (S)\fR
2816 NTFS and Windows VFAT file systems keep a create
2817 time for all files and directories. This is not the same as the
2818 ctime - status change time - that Unix keeps, so Samba by default
2819 reports the earliest of the various times Unix does keep. Setting
2820 this parameter for a share causes Samba to always report midnight
2821 1-1-1980 as the create time for directories.
2823 This option is mainly used as a compatibility option for
2824 Visual C++ when used against Samba shares. Visual C++ generated
2825 makefiles have the object directory as a dependency for each object
2826 file, and a make rule to create the directory. Also, when NMAKE
2827 compares timestamps it uses the creation time when examining a
2828 directory. Thus the object directory will be created if it does not
2829 exist, but once it does exist it will always have an earlier
2830 timestamp than the object files it contains.
2832 However, Unix time semantics mean that the create time
2833 reported by Samba will be updated whenever a file is created or
2834 or deleted in the directory. NMAKE finds all object files in
2835 the object directory. The timestamp of the last one built is then
2836 compared to the timestamp of the object directory. If the
2837 directory's timestamp if newer, then all object files
2838 will be rebuilt. Enabling this option
2839 ensures directories always predate their contents and an NMAKE build
2840 will proceed as expected.
2842 Default: \fBfake directory create times = no\fR
2844 \fBfake oplocks (S)\fR
2845 Oplocks are the way that SMB clients get permission
2846 from a server to locally cache file operations. If a server grants
2847 an oplock (opportunistic lock) then the client is free to assume
2848 that it is the only one accessing the file and it will aggressively
2849 cache file data. With some oplock types the client may even cache
2850 file open/close operations. This can give enormous performance benefits.
2852 When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fR will
2853 always grant oplock requests no matter how many clients are using
2856 It is generally much better to use the real \fIoplocks\fR support rather
2857 than this parameter.
2859 If you enable this option on all read-only shares or
2860 shares that you know will only be accessed from one client at a
2861 time such as physically read-only media like CDROMs, you will see
2862 a big performance improvement on many operations. If you enable
2863 this option on shares where multiple clients may be accessing the
2864 files read-write at the same time you can get data corruption. Use
2865 this option carefully!
2867 Default: \fBfake oplocks = no\fR
2869 \fBfollow symlinks (S)\fR
2870 This parameter allows the Samba administrator
2871 to stop \fBsmbd(8)\fR
2872 from following symbolic links in a particular share. Setting this
2873 parameter to no prevents any file or directory
2874 that is a symbolic link from being followed (the user will get an
2875 error). This option is very useful to stop users from adding a
2876 symbolic link to \fI/etc/passwd\fR in their home
2877 directory for instance. However it will slow filename lookups
2880 This option is enabled (i.e. \fBsmbd\fR will
2881 follow symbolic links) by default.
2883 Default: \fBfollow symlinks = yes\fR
2885 \fBforce create mode (S)\fR
2886 This parameter specifies a set of UNIX mode bit
2887 permissions that will \fBalways\fR be set on a
2888 file created by Samba. This is done by bitwise 'OR'ing these bits onto
2889 the mode bits of a file that is being created or having its
2890 permissions changed. The default for this parameter is (in octal)
2891 000. The modes in this parameter are bitwise 'OR'ed onto the file
2892 mode after the mask set in the \fIcreate mask\fR
2893 parameter is applied.
2895 See also the parameter \fIcreate
2896 mask\fR for details on masking mode bits on files.
2898 See also the \fIinherit
2899 permissions\fR parameter.
2901 Default: \fBforce create mode = 000\fR
2903 Example: \fBforce create mode = 0755\fR
2905 would force all created files to have read and execute
2906 permissions set for 'group' and 'other' as well as the
2907 read/write/execute bits set for the 'user'.
2909 \fBforce directory mode (S)\fR
2910 This parameter specifies a set of UNIX mode bit
2911 permissions that will \fBalways\fR be set on a directory
2912 created by Samba. This is done by bitwise 'OR'ing these bits onto the
2913 mode bits of a directory that is being created. The default for this
2914 parameter is (in octal) 0000 which will not add any extra permission
2915 bits to a created directory. This operation is done after the mode
2916 mask in the parameter \fIdirectory mask\fR is
2919 See also the parameter \fI directory mask\fR for details on masking mode bits
2920 on created directories.
2922 See also the \fI inherit permissions\fR parameter.
2924 Default: \fBforce directory mode = 000\fR
2926 Example: \fBforce directory mode = 0755\fR
2928 would force all created directories to have read and execute
2929 permissions set for 'group' and 'other' as well as the
2930 read/write/execute bits set for the 'user'.
2932 \fBforce directory\fR
2933 This parameter controls what UNIX permission bits
2934 can be modified when a Windows NT client is manipulating the UNIX
2935 permission on a directory using the native NT security dialog box.
2937 This parameter is applied as a mask (OR'ed with) to the
2938 changed permission bits, thus forcing any bits in this mask that
2939 the user may have modified to be on. Essentially, one bits in this
2940 mask may be treated as a set of bits that, when modifying security
2941 on a directory, the user has always set to be 'on'.
2943 If not set explicitly this parameter is 000, which
2944 allows a user to modify all the user/group/world permissions on a
2945 directory without restrictions.
2947 \fBNote\fR that users who can access the
2948 Samba server through other means can easily bypass this restriction,
2949 so it is primarily useful for standalone "appliance" systems.
2950 Administrators of most normal systems will probably want to leave
2953 See also the \fI directory security mask\fR, \fIsecurity mask\fR,
2954 \fIforce security mode
2957 Default: \fBforce directory security mode = 0\fR
2959 Example: \fBforce directory security mode = 700\fR
2961 \fBforce group (S)\fR
2962 This specifies a UNIX group name that will be
2963 assigned as the default primary group for all users connecting
2964 to this service. This is useful for sharing files by ensuring
2965 that all access to files on service will use the named group for
2966 their permissions checking. Thus, by assigning permissions for this
2967 group to the files and directories within this service the Samba
2968 administrator can restrict or allow sharing of these files.
2970 In Samba 2.0.5 and above this parameter has extended
2971 functionality in the following way. If the group name listed here
2972 has a '+' character prepended to it then the current user accessing
2973 the share only has the primary group default assigned to this group
2974 if they are already assigned as a member of that group. This allows
2975 an administrator to decide that only users who are already in a
2976 particular group will create files with group ownership set to that
2977 group. This gives a finer granularity of ownership assignment. For
2978 example, the setting \fIforce group = +sys\fR means
2979 that only users who are already in group sys will have their default
2980 primary group assigned to sys when accessing this Samba share. All
2981 other users will retain their ordinary primary group.
2983 If the \fIforce user
2984 \fRparameter is also set the group specified in
2985 \fIforce group\fR will override the primary group
2986 set in \fIforce user\fR.
2991 Default: \fBno forced group\fR
2993 Example: \fBforce group = agroup\fR
2995 \fBforce security mode (S)\fR
2996 This parameter controls what UNIX permission
2997 bits can be modified when a Windows NT client is manipulating
2998 the UNIX permission on a file using the native NT security dialog
3001 This parameter is applied as a mask (OR'ed with) to the
3002 changed permission bits, thus forcing any bits in this mask that
3003 the user may have modified to be on. Essentially, one bits in this
3004 mask may be treated as a set of bits that, when modifying security
3005 on a file, the user has always set to be 'on'.
3007 If not set explicitly this parameter is set to 0,
3008 and allows a user to modify all the user/group/world permissions on a file,
3009 with no restrictions.
3011 \fBNote\fR that users who can access
3012 the Samba server through other means can easily bypass this restriction,
3013 so it is primarily useful for standalone "appliance" systems.
3014 Administrators of most normal systems will probably want to leave
3017 See also the \fI force directory security mode\fR,
3018 \fIdirectory security
3019 mask\fR, \fI security mask\fR parameters.
3021 Default: \fBforce security mode = 0\fR
3023 Example: \fBforce security mode = 700\fR
3025 \fBforce unknown acl user (S)\fR
3026 If this parameter is set, a Windows NT ACL that contains
3027 an unknown SID (security descriptor, or representation of a user or group id)
3028 as the owner or group owner of the file will be silently mapped into the
3029 current UNIX uid or gid of the currently connected user.
3031 This is designed to allow Windows NT clients to copy files and
3032 folders containing ACLs that were created locally on the client machine
3033 and contain users local to that machine only (no domain users) to be
3034 copied to a Samba server (usually with XCOPY /O) and have the unknown
3035 userid and groupid of the file owner map to the current connected user.
3036 This can only be fixed correctly when winbindd allows arbitrary mapping
3037 from any Windows NT SID to a UNIX uid or gid.
3039 Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
3041 See also \fIforce group
3043 Default: \fBFalse\fR
3045 Example: \fBforce unknown acl user = yes\fR
3047 \fBforce user (S)\fR
3048 This specifies a UNIX user name that will be
3049 assigned as the default user for all users connecting to this service.
3050 This is useful for sharing files. You should also use it carefully
3051 as using it incorrectly can cause security problems.
3053 This user name only gets used once a connection is established.
3054 Thus clients still need to connect as a valid user and supply a
3055 valid password. Once connected, all file operations will be performed
3056 as the "forced user", no matter what username the client connected
3057 as. This can be very useful.
3059 In Samba 2.0.5 and above this parameter also causes the
3060 primary group of the forced user to be used as the primary group
3061 for all file activity. Prior to 2.0.5 the primary group was left
3062 as the primary group of the connecting user (this was a bug).
3064 See also \fIforce group
3066 Default: \fBno forced user\fR
3068 Example: \fBforce user = auser\fR
3071 This parameter allows the administrator to
3072 configure the string that specifies the type of filesystem a share
3073 is using that is reported by \fBsmbd(8)
3074 \fR when a client queries the filesystem type
3075 for a share. The default type is NTFS for
3076 compatibility with Windows NT but this can be changed to other
3077 strings such as Samba or FAT
3080 Default: \fBfstype = NTFS\fR
3082 Example: \fBfstype = Samba\fR
3084 \fBgetwd cache (G)\fR
3085 This is a tuning option. When this is enabled a
3086 caching algorithm will be used to reduce the time taken for getwd()
3087 calls. This can have a significant impact on performance, especially
3088 when the \fIwide links\fR
3089 parameter is set to no.
3091 Default: \fBgetwd cache = yes\fR
3094 Synonym for \fIforce
3097 \fBguest account (S)\fR
3098 This is a username which will be used for access
3099 to services which are specified as \fI guest ok\fR (see below). Whatever privileges this
3100 user has will be available to any client connecting to the guest service.
3101 Typically this user will exist in the password file, but will not
3102 have a valid login. The user account "ftp" is often a good choice
3103 for this parameter. If a username is specified in a given service,
3104 the specified username overrides this one.
3106 One some systems the default guest account "nobody" may not
3107 be able to print. Use another account in this case. You should test
3108 this by trying to log in as your guest user (perhaps by using the
3109 \fBsu -\fR command) and trying to print using the
3110 system print command such as \fBlpr(1)\fR or \fB lp(1)\fR.
3112 Default: \fBspecified at compile time, usually
3115 Example: \fBguest account = ftp\fR
3118 If this parameter is yes for
3119 a service, then no password is required to connect to the service.
3120 Privileges will be those of the \fI guest account\fR.
3122 See the section below on \fI security\fR for more information about this option.
3124 Default: \fBguest ok = no\fR
3126 \fBguest only (S)\fR
3127 If this parameter is yes for
3128 a service, then only guest connections to the service are permitted.
3129 This parameter will have no effect if \fIguest ok\fR is not set for the service.
3131 See the section below on \fI security\fR for more information about this option.
3133 Default: \fBguest only = no\fR
3135 \fBhide dot files (S)\fR
3136 This is a boolean parameter that controls whether
3137 files starting with a dot appear as hidden files.
3139 Default: \fBhide dot files = yes\fR
3142 This is a list of files or directories that are not
3143 visible but are accessible. The DOS 'hidden' attribute is applied
3144 to any files or directories that match.
3146 Each entry in the list must be separated by a '/',
3147 which allows spaces to be included in the entry. '*'
3148 and '?' can be used to specify multiple files or directories
3149 as in DOS wildcards.
3151 Each entry must be a Unix path, not a DOS path and must
3152 not include the Unix directory separator '/'.
3154 Note that the case sensitivity option is applicable
3157 Setting this parameter will affect the performance of Samba,
3158 as it will be forced to check all files and directories for a match
3159 as they are scanned.
3162 dot files\fR, \fI veto files\fR and \fIcase sensitive\fR.
3164 Default: \fBno file are hidden\fR
3166 Example: \fBhide files =
3167 /.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR
3169 The above example is based on files that the Macintosh
3170 SMB client (DAVE) available from
3171 Thursby <URL:http://www.thursby.com> creates for internal use, and also still hides
3172 all files beginning with a dot.
3174 \fBhide local users(G)\fR
3175 This parameter toggles the hiding of local UNIX
3176 users (root, wheel, floppy, etc) from remote clients.
3178 Default: \fBhide local users = no\fR
3180 \fBhide unreadable (S)\fR
3181 This parameter prevents clients from seeing the
3182 existance of files that cannot be read. Defaults to off.
3184 Default: \fBhide unreadable = no\fR
3186 \fBhomedir map (G)\fR
3188 \fRis yes, and \fBsmbd(8)\fR is also acting
3189 as a Win95/98 \fIlogon server\fR then this parameter
3190 specifies the NIS (or YP) map from which the server for the user's
3191 home directory should be extracted. At present, only the Sun
3192 auto.home map format is understood. The form of the map is:
3194 \fBusername server:/some/file/system\fR
3196 and the program will extract the servername from before
3197 the first ':'. There should probably be a better parsing system
3198 that copes with different map formats and also Amd (another
3201 \fBNOTE :\fRA working NIS client is required on
3202 the system for this option to work.
3204 See also \fInis homedir\fR
3205 , \fIdomain logons\fR
3208 Default: \fBhomedir map = <empty string>\fR
3210 Example: \fBhomedir map = amd.homedir\fR
3212 \fBhost msdfs (G)\fR
3213 This boolean parameter is only available
3214 if Samba has been configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
3215 Samba will act as a Dfs server, and allow Dfs-aware clients
3216 to browse Dfs trees hosted on the server.
3218 See also the \fI msdfs root\fR share level parameter. For
3219 more information on setting up a Dfs tree on Samba,
3220 refer to msdfs_setup.html
3222 Default: \fBhost msdfs = no\fR
3224 \fBhosts allow (S)\fR
3225 A synonym for this parameter is \fIallow
3228 This parameter is a comma, space, or tab delimited
3229 set of hosts which are permitted to access a service.
3231 If specified in the [global] section then it will
3232 apply to all services, regardless of whether the individual
3233 service has a different setting.
3235 You can specify the hosts by name or IP number. For
3236 example, you could restrict access to only the hosts on a
3237 Class C subnet with something like \fBallow hosts = 150.203.5.
3238 \fR\&. The full syntax of the list is described in the man
3239 page \fIhosts_access(5)\fR. Note that this man
3240 page may not be present on your system, so a brief description will
3243 Note that the localhost address 127.0.0.1 will always
3244 be allowed access unless specifically denied by a \fIhosts deny\fR option.
3246 You can also specify hosts by network/netmask pairs and
3247 by netgroup names if your system supports netgroups. The
3248 \fBEXCEPT\fR keyword can also be used to limit a
3249 wildcard list. The following examples may provide some help:
3251 Example 1: allow all IPs in 150.203.*.*; except one
3253 \fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
3255 Example 2: allow hosts that match the given network/netmask
3257 \fBhosts allow = 150.203.15.0/255.255.255.0\fR
3259 Example 3: allow a couple of hosts
3261 \fBhosts allow = lapland, arvidsjaur\fR
3263 Example 4: allow only hosts in NIS netgroup "foonet", but
3264 deny access from one particular host
3266 \fBhosts allow = @foonet\fR
3268 \fBhosts deny = pirate\fR
3270 Note that access still requires suitable user-level passwords.
3272 See \fBtestparm(1)\fR
3273 for a way of testing your host access to see if it does
3276 Default: \fBnone (i.e., all hosts permitted access)
3278 Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au
3280 \fBhosts deny (S)\fR
3281 The opposite of \fIhosts allow\fR
3282 - hosts listed here are \fBNOT\fR permitted access to
3283 services unless the specific services have their own lists to override
3284 this one. Where the lists conflict, the \fIallow\fR
3285 list takes precedence.
3287 Default: \fBnone (i.e., no hosts specifically excluded)
3289 Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au
3291 \fBhosts equiv (G)\fR
3292 If this global parameter is a non-null string,
3293 it specifies the name of a file to read for the names of hosts
3294 and users who will be allowed access without specifying a password.
3296 This is not be confused with \fIhosts allow\fR which is about hosts
3297 access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will
3298 not supply passwords to Samba.
3300 \fBNOTE :\fR The use of \fIhosts equiv
3301 \fRcan be a major security hole. This is because you are
3302 trusting the PC to supply the correct username. It is very easy to
3303 get a PC to supply a false username. I recommend that the
3304 \fIhosts equiv\fR option be only used if you really
3305 know what you are doing, or perhaps on a home network where you trust
3306 your spouse and kids. And only if you \fBreally\fR trust
3309 Default: \fBno host equivalences\fR
3311 Example: \fBhosts equiv = /etc/hosts.equiv\fR
3314 This allows you to include one config file
3315 inside another. The file is included literally, as though typed
3318 It takes the standard substitutions, except \fI%u
3319 \fR, \fI%P\fR and \fI%S\fR.
3321 Default: \fBno file included\fR
3323 Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf
3325 \fBinherit acls (S)\fR
3326 This parameter can be used to ensure
3327 that if default acls exist on parent directories,
3328 they are always honored when creating a subdirectory.
3329 The default behavior is to use the mode specified
3330 when creating the directory. Enabling this option
3331 sets the mode to 0777, thus guaranteeing that
3332 default directory acls are propagated.
3334 Default: \fBinherit acls = no\fR
3336 \fBinherit permissions (S)\fR
3337 The permissions on new files and directories
3338 are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR
3340 directory mode\fR but the boolean inherit
3341 permissions parameter overrides this.
3343 New directories inherit the mode of the parent directory,
3344 including bits such as setgid.
3346 New files inherit their read/write bits from the parent
3347 directory. Their execute bits continue to be determined by
3350 and \fImap system\fR
3353 Note that the setuid bit is \fBnever\fR set via
3354 inheritance (the code explicitly prohibits this).
3356 This can be particularly useful on large systems with
3357 many users, perhaps several thousand, to allow a single [homes]
3358 share to be used flexibly by each user.
3360 See also \fIcreate mask
3361 \fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR
3364 Default: \fBinherit permissions = no\fR
3366 \fBinterfaces (G)\fR
3367 This option allows you to override the default
3368 network interfaces list that Samba will use for browsing, name
3369 registration and other NBT traffic. By default Samba will query
3370 the kernel for the list of all active interfaces and use any
3371 interfaces except 127.0.0.1 that are broadcast capable.
3373 The option takes a list of interface strings. Each string
3374 can be in any of the following forms:
3378 a network interface name (such as eth0).
3379 This may include shell-like wildcards so eth* will match
3380 any interface starting with the substring "eth"
3383 an IP address. In this case the netmask is
3384 determined from the list of interfaces obtained from the
3391 a broadcast/mask pair.
3394 The "mask" parameters can either be a bit length (such
3395 as 24 for a C class network) or a full netmask in dotted
3399 The "IP" parameters above can either be a full dotted
3400 decimal IP address or a hostname which will be looked up via
3401 the OS's normal hostname resolution mechanisms.
3404 For example, the following line:
3407 \fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3410 would configure three network interfaces corresponding
3411 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3412 The netmasks of the latter two interfaces would be set to 255.255.255.0.
3419 Default: \fBall active interfaces except 127.0.0.1
3420 that are broadcast capable\fR
3423 \fBinvalid users (S)\fR
3424 This is a list of users that should not be allowed
3425 to login to this service. This is really a \fBparanoid\fR
3426 check to absolutely ensure an improper setting does not breach
3429 A name starting with a '@' is interpreted as an NIS
3430 netgroup first (if your system supports NIS), and then as a UNIX
3431 group if the name was not found in the NIS netgroup database.
3433 A name starting with '+' is interpreted only
3434 by looking in the UNIX group database. A name starting with
3435 \&'&' is interpreted only by looking in the NIS netgroup database
3436 (this requires NIS to be working on your system). The characters
3437 \&'+' and '&' may be used at the start of the name in either order
3438 so the value \fI+&group\fR means check the
3439 UNIX group database, followed by the NIS netgroup database, and
3440 the value \fI&+group\fR means check the NIS
3441 netgroup database, followed by the UNIX group database (the
3442 same as the '@' prefix).
3444 The current servicename is substituted for \fI%S\fR.
3445 This is useful in the [homes] section.
3447 See also \fIvalid users
3450 Default: \fBno invalid users\fR
3452 Example: \fBinvalid users = root fred admin @wheel
3455 The value of the parameter (an integer) represents
3456 the number of seconds between \fIkeepalive\fR
3457 packets. If this parameter is zero, no keepalive packets will be
3458 sent. Keepalive packets, if sent, allow the server to tell whether
3459 a client is still present and responding.
3461 Keepalives should, in general, not be needed if the socket
3462 being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR).
3463 Basically you should only use this option if you strike difficulties.
3465 Default: \fBkeepalive = 300\fR
3467 Example: \fBkeepalive = 600\fR
3469 \fBkernel oplocks (G)\fR
3470 For UNIXes that support kernel based \fIoplocks\fR
3471 (currently only IRIX and the Linux 2.4 kernel), this parameter
3472 allows the use of them to be turned on or off.
3474 Kernel oplocks support allows Samba \fIoplocks
3475 \fRto be broken whenever a local UNIX process or NFS operation
3476 accesses a file that \fBsmbd(8)\fR
3477 has oplocked. This allows complete data consistency between
3478 SMB/CIFS, NFS and local file access (and is a \fBvery\fR
3481 This parameter defaults to on, but is translated
3482 to a no-op on systems that no not have the necessary kernel support.
3483 You should never need to touch this parameter.
3485 See also the \fIoplocks\fR
3486 and \fIlevel2 oplocks
3489 Default: \fBkernel oplocks = yes\fR
3491 \fBlanman auth (G)\fR
3492 This parameter determines whether or not smbd will
3493 attempt to authenticate users using the LANMAN password hash.
3494 If disabled, only clients which support NT password hashes (e.g. Windows
3495 NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
3496 network client) will be able to connect to the Samba host.
3498 Default : \fBlanman auth = yes\fR
3500 \fBlarge readwrite (G)\fR
3501 This parameter determines whether or not smbd
3502 supports the new 64k streaming read and write varient SMB requests introduced
3503 with Windows 2000. Note that due to Windows 2000 client redirector bugs
3504 this requires Samba to be running on a 64-bit capable operating system such
3505 as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with
3506 Windows 2000 clients. Defaults to off. Not as tested as some other Samba
3509 Default : \fBlarge readwrite = no\fR
3511 \fBldap admin dn (G)\fR
3512 This parameter is only available if Samba has been
3513 configure to include the \fB--with-ldapsam\fR option
3514 at compile time. This option should be considered experimental and
3515 under active development.
3517 The \fIldap admin dn\fR defines the Distinguished
3518 Name (DN) name used by Samba to contact the ldap
3519 server when retreiving user account information. The \fIldap
3520 admin dn\fR is used in conjunction with the admin dn password
3521 stored in the \fIprivate/secrets.tdb\fR file. See the
3522 \fBsmbpasswd(8)\fR man
3523 page for more information on how to accmplish this.
3525 Default : \fBnone\fR
3527 \fBldap filter (G)\fR
3528 This parameter is only available if Samba has been
3529 configure to include the \fB--with-ldapsam\fR option
3530 at compile time. This option should be considered experimental and
3531 under active development.
3533 This parameter specifies the RFC 2254 compliant LDAP search filter.
3534 The default is to match the login name with the uid
3535 attribute for all entries matching the sambaAccount
3536 objectclass. Note that this filter should only return one entry.
3538 Default : \fBldap filter = (&(uid=%u)(objectclass=sambaAccount))\fR
3541 This parameter is only available if Samba has been
3542 configure to include the \fB--with-ldapsam\fR option
3543 at compile time. This option should be considered experimental and
3544 under active development.
3546 This option is used to control the tcp port number used to contact
3547 the \fIldap server\fR.
3548 The default is to use the stand LDAPS port 636.
3552 Default : \fBldap port = 636 ; if ldap ssl = on\fR
3554 Default : \fBldap port = 389 ; if ldap ssl = off\fR
3556 \fBldap server (G)\fR
3557 This parameter is only available if Samba has been
3558 configure to include the \fB--with-ldapsam\fR option
3559 at compile time. This option should be considered experimental and
3560 under active development.
3562 This parameter should contains the FQDN of the ldap directory
3563 server which should be queried to locate user account information.
3565 Default : \fBldap server = localhost\fR
3568 This parameter is only available if Samba has been
3569 configure to include the \fB--with-ldapsam\fR option
3570 at compile time. This option should be considered experimental and
3571 under active development.
3573 This option is used to define whether or not Samba should
3574 use SSL when connecting to the \fIldap
3575 server\fR. This is \fBNOT\fR related to
3576 Samba SSL support which is enabled by specifying the
3577 \fB--with-ssl\fR option to the \fIconfigure\fR
3578 script (see \fIssl\fR).
3580 The \fIldap ssl\fR can be set to one of three values:
3581 (a) on - Always use SSL when contacting the
3582 \fIldap server\fR, (b) off -
3583 Never use SSL when querying the directory, or (c) start_tls
3584 - Use the LDAPv3 StartTLS extended operation
3585 (RFC2830) for communicating with the directory server.
3587 Default : \fBldap ssl = on\fR
3589 \fBldap suffix (G)\fR
3590 This parameter is only available if Samba has been
3591 configure to include the \fB--with-ldapsam\fR option
3592 at compile time. This option should be considered experimental and
3593 under active development.
3595 Default : \fBnone\fR
3597 \fBlevel2 oplocks (S)\fR
3598 This parameter controls whether Samba supports
3599 level2 (read-only) oplocks on a share.
3601 Level2, or read-only oplocks allow Windows NT clients
3602 that have an oplock on a file to downgrade from a read-write oplock
3603 to a read-only oplock once a second client opens the file (instead
3604 of releasing all oplocks on a second open, as in traditional,
3605 exclusive oplocks). This allows all openers of the file that
3606 support level2 oplocks to cache the file for read-ahead only (ie.
3607 they may not cache writes or lock requests) and increases performance
3608 for many accesses of files that are not commonly written (such as
3609 application .EXE files).
3611 Once one of the clients which have a read-only oplock
3612 writes to the file all clients are notified (no reply is needed
3613 or waited for) and told to break their oplocks to "none" and
3614 delete any read-ahead caches.
3616 It is recommended that this parameter be turned on
3617 to speed access to shared executables.
3619 For more discussions on level2 oplocks see the CIFS spec.
3621 Currently, if \fIkernel
3622 oplocks\fR are supported then level2 oplocks are
3623 not granted (even if this parameter is set to yes).
3624 Note also, the \fIoplocks\fR
3625 parameter must be set to yes on this share in order for
3626 this parameter to have any effect.
3628 See also the \fIoplocks\fR
3629 and \fIkernel oplocks\fR
3632 Default: \fBlevel2 oplocks = yes\fR
3634 \fBlm announce (G)\fR
3635 This parameter determines if \fBnmbd(8)\fR will produce Lanman announce
3636 broadcasts that are needed by OS/2 clients in order for them to see
3637 the Samba server in their browse list. This parameter can have three
3639 auto. The default is auto.
3640 If set to no Samba will never produce these
3641 broadcasts. If set to yes Samba will produce
3642 Lanman announce broadcasts at a frequency set by the parameter
3643 \fIlm interval\fR. If set to auto
3644 Samba will not send Lanman announce broadcasts by default but will
3645 listen for them. If it hears such a broadcast on the wire it will
3646 then start sending them at a frequency set by the parameter
3649 See also \fIlm interval
3652 Default: \fBlm announce = auto\fR
3654 Example: \fBlm announce = yes\fR
3656 \fBlm interval (G)\fR
3657 If Samba is set to produce Lanman announce
3658 broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this
3659 parameter defines the frequency in seconds with which they will be
3660 made. If this is set to zero then no Lanman announcements will be
3661 made despite the setting of the \fIlm announce\fR
3667 Default: \fBlm interval = 60\fR
3669 Example: \fBlm interval = 120\fR
3671 \fBload printers (G)\fR
3672 A boolean variable that controls whether all
3673 printers in the printcap will be loaded for browsing by default.
3674 See the printers section for
3677 Default: \fBload printers = yes\fR
3679 \fBlocal master (G)\fR
3680 This option allows \fB nmbd(8)\fR to try and become a local master browser
3681 on a subnet. If set to no then \fB nmbd\fR will not attempt to become a local master browser
3682 on a subnet and will also lose in all browsing elections. By
3683 default this value is set to yes. Setting this value to yes doesn't
3684 mean that Samba will \fBbecome\fR the local master
3685 browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser.
3687 Setting this value to no will cause \fBnmbd\fR
3688 \fBnever\fR to become a local master browser.
3690 Default: \fBlocal master = yes\fR
3693 Synonym for \fI lock directory\fR.
3695 \fBlock directory (G)\fR
3696 This option specifies the directory where lock
3697 files will be placed. The lock files are used to implement the
3698 \fImax connections\fR
3701 Default: \fBlock directory = ${prefix}/var/locks\fR
3703 Example: \fBlock directory = /var/run/samba/locks\fR
3705 \fBlock spin count (G)\fR
3706 This parameter controls the number of times
3707 that smbd should attempt to gain a byte range lock on the
3708 behalf of a client request. Experiments have shown that
3709 Windows 2k servers do not reply with a failure if the lock
3710 could not be immediately granted, but try a few more times
3711 in case the lock could later be aquired. This behavior
3712 is used to support PC database formats such as MS Access
3715 Default: \fBlock spin count = 2\fR
3717 \fBlock spin time (G)\fR
3718 The time in microseconds that smbd should
3719 pause before attempting to gain a failed lock. See
3721 count\fR for more details.
3723 Default: \fBlock spin time = 10\fR
3726 This controls whether or not locking will be
3727 performed by the server in response to lock requests from the
3730 If \fBlocking = no\fR, all lock and unlock
3731 requests will appear to succeed and all lock queries will report
3732 that the file in question is available for locking.
3734 If \fBlocking = yes\fR, real locking will be performed
3737 This option \fBmay\fR be useful for read-only
3738 filesystems which \fBmay\fR not need locking (such as
3739 CDROM drives), although setting this parameter of no
3740 is not really recommended even in this case.
3742 Be careful about disabling locking either globally or in a
3743 specific service, as lack of locking may result in data corruption.
3744 You should never need to set this parameter.
3746 Default: \fBlocking = yes\fR
3749 This option allows you to override the name
3750 of the Samba log file (also known as the debug file).
3752 This option takes the standard substitutions, allowing
3753 you to have separate log files for each user or machine.
3755 Example: \fBlog file = /usr/local/samba/var/log.%m
3758 The value of the parameter (an integer) allows
3759 the debug level (logging level) to be specified in the
3760 \fIsmb.conf\fR file. This is to give greater
3761 flexibility in the configuration of the system.
3763 The default will be the log level specified on
3764 the command line or level zero if none was specified.
3766 Example: \fBlog level = 3\fR
3768 \fBlogon drive (G)\fR
3769 This parameter specifies the local path to
3770 which the home directory will be connected (see \fIlogon home\fR)
3771 and is only used by NT Workstations.
3773 Note that this option is only useful if Samba is set up as a
3776 Default: \fBlogon drive = z:\fR
3778 Example: \fBlogon drive = h:\fR
3780 \fBlogon home (G)\fR
3781 This parameter specifies the home directory
3782 location when a Win95/98 or NT Workstation logs into a Samba PDC.
3785 C:\\> \fBNET USE H: /HOME\fR
3787 from a command prompt, for example.
3789 This option takes the standard substitutions, allowing
3790 you to have separate logon scripts for each user or machine.
3792 This parameter can be used with Win9X workstations to ensure
3793 that roaming profiles are stored in a subdirectory of the user's
3794 home directory. This is done in the following way:
3796 \fBlogon home = \\\\%N\\%U\\profile\fR
3798 This tells Samba to return the above string, with
3799 substitutions made when a client requests the info, generally
3800 in a NetUserGetInfo request. Win9X clients truncate the info to
3801 \\\\server\\share when a user does \fBnet use /home\fR
3802 but use the whole string when dealing with profiles.
3804 Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than
3805 \fIlogon home\fR. This broke \fBnet use
3806 /home\fR but allowed profiles outside the home directory.
3807 The current implementation is correct, and can be used for
3808 profiles if you use the above trick.
3810 This option is only useful if Samba is set up as a logon
3813 Default: \fBlogon home = "\\\\%N\\%U"\fR
3815 Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR
3817 \fBlogon path (G)\fR
3818 This parameter specifies the home directory
3819 where roaming profiles (NTuser.dat etc files for Windows NT) are
3820 stored. Contrary to previous versions of these manual pages, it has
3821 nothing to do with Win 9X roaming profiles. To find out how to
3822 handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter.
3824 This option takes the standard substitutions, allowing you
3825 to have separate logon scripts for each user or machine. It also
3826 specifies the directory from which the "Application Data",
3827 (\fIdesktop\fR, \fIstart menu\fR,
3828 \fInetwork neighborhood\fR, \fIprograms\fR
3829 and other folders, and their contents, are loaded and displayed on
3830 your Windows NT client.
3832 The share and the path must be readable by the user for
3833 the preferences and directories to be loaded onto the Windows NT
3834 client. The share must be writeable when the user logs in for the first
3835 time, in order that the Windows NT client can create the NTuser.dat
3836 and other directories.
3838 Thereafter, the directories and any of the contents can,
3839 if required, be made read-only. It is not advisable that the
3840 NTuser.dat file be made read-only - rename it to NTuser.man to
3841 achieve the desired effect (a \fBMAN\fRdatory
3844 Windows clients can sometimes maintain a connection to
3845 the [homes] share, even though there is no user logged in.
3846 Therefore, it is vital that the logon path does not include a
3847 reference to the homes share (i.e. setting this parameter to
3848 \\%N\\%U\\profile_path will cause problems).
3850 This option takes the standard substitutions, allowing
3851 you to have separate logon scripts for each user or machine.
3853 Note that this option is only useful if Samba is set up
3856 Default: \fBlogon path = \\\\%N\\%U\\profile\fR
3858 Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR
3860 \fBlogon script (G)\fR
3861 This parameter specifies the batch file (.bat) or
3862 NT command file (.cmd) to be downloaded and run on a machine when
3863 a user successfully logs in. The file must contain the DOS
3864 style CR/LF line endings. Using a DOS-style editor to create the
3865 file is recommended.
3867 The script must be a relative path to the [netlogon]
3868 service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon
3869 \fR, and \fBlogon script = STARTUP.BAT\fR, then
3870 the file that will be downloaded is:
3872 \fI/usr/local/samba/netlogon/STARTUP.BAT\fR
3874 The contents of the batch file are entirely your choice. A
3875 suggested command would be to add \fBNET TIME \\\\SERVER /SET
3876 /YES\fR, to force every machine to synchronize clocks with
3877 the same time server. Another use would be to add \fBNET USE
3878 U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example.
3880 Note that it is particularly important not to allow write
3881 access to the [netlogon] share, or to grant users write permission
3882 on the batch files in a secure environment, as this would allow
3883 the batch files to be arbitrarily modified and security to be
3886 This option takes the standard substitutions, allowing you
3887 to have separate logon scripts for each user or machine.
3889 This option is only useful if Samba is set up as a logon
3892 Default: \fBno logon script defined\fR
3894 Example: \fBlogon script = scripts\\%U.bat\fR
3896 \fBlppause command (S)\fR
3897 This parameter specifies the command to be
3898 executed on the server host in order to stop printing or spooling
3899 a specific print job.
3901 This command should be a program or script which takes
3902 a printer name and job number to pause the print job. One way
3903 of implementing this is by using job priorities, where jobs
3904 having a too low priority won't be sent to the printer.
3906 If a \fI%p\fR is given then the printer name
3907 is put in its place. A \fI%j\fR is replaced with
3908 the job number (an integer). On HPUX (see \fIprinting=hpux
3909 \fR), if the \fI-p%p\fR option is added
3910 to the lpq command, the job will show up with the correct status, i.e.
3911 if the job priority is lower than the set fence priority it will
3912 have the PAUSED status, whereas if the priority is equal or higher it
3913 will have the SPOOLED or PRINTING status.
3915 Note that it is good practice to include the absolute path
3916 in the lppause command as the PATH may not be available to the server.
3918 See also the \fIprinting
3921 Default: Currently no default value is given to
3922 this string, unless the value of the \fIprinting\fR
3923 parameter is SYSV, in which case the default is :
3925 \fBlp -i %p-%j -H hold\fR
3927 or if the value of the \fIprinting\fR parameter
3928 is SOFTQ, then the default is:
3930 \fBqstat -s -j%j -h\fR
3932 Example for HPUX: \fBlppause command = /usr/bin/lpalt
3935 \fBlpq cache time (G)\fR
3936 This controls how long lpq info will be cached
3937 for to prevent the \fBlpq\fR command being called too
3938 often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different
3939 \fBlpq\fR commands for different users then they won't
3940 share cache information.
3942 The cache files are stored in \fI/tmp/lpq.xxxx\fR
3943 where xxxx is a hash of the \fBlpq\fR command in use.
3945 The default is 10 seconds, meaning that the cached results
3946 of a previous identical \fBlpq\fR command will be used
3947 if the cached data is less than 10 seconds old. A large value may
3948 be advisable if your \fBlpq\fR command is very slow.
3950 A value of 0 will disable caching completely.
3952 See also the \fIprinting
3955 Default: \fBlpq cache time = 10\fR
3957 Example: \fBlpq cache time = 30\fR
3959 \fBlpq command (S)\fR
3960 This parameter specifies the command to be
3961 executed on the server host in order to obtain \fBlpq
3962 \fR-style printer status information.
3964 This command should be a program or script which
3965 takes a printer name as its only parameter and outputs printer
3968 Currently nine styles of printer status information
3969 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
3970 This covers most UNIX systems. You control which type is expected
3971 using the \fIprinting =\fR option.
3973 Some clients (notably Windows for Workgroups) may not
3974 correctly send the connection number for the printer they are
3975 requesting status information about. To get around this, the
3976 server reports on the first printer service connected to by the
3977 client. This only happens if the connection number sent is invalid.
3979 If a \fI%p\fR is given then the printer name
3980 is put in its place. Otherwise it is placed at the end of the
3983 Note that it is good practice to include the absolute path
3984 in the \fIlpq command\fR as the \fB$PATH
3985 \fRmay not be available to the server. When compiled with
3986 the CUPS libraries, no \fIlpq command\fR is
3987 needed because smbd will make a library call to obtain the
3988 print queue listing.
3990 See also the \fIprinting
3993 Default: \fBdepends on the setting of \fI printing\fB\fR
3995 Example: \fBlpq command = /usr/bin/lpq -P%p\fR
3997 \fBlpresume command (S)\fR
3998 This parameter specifies the command to be
3999 executed on the server host in order to restart or continue
4000 printing or spooling a specific print job.
4002 This command should be a program or script which takes
4003 a printer name and job number to resume the print job. See
4004 also the \fIlppause command
4007 If a \fI%p\fR is given then the printer name
4008 is put in its place. A \fI%j\fR is replaced with
4009 the job number (an integer).
4011 Note that it is good practice to include the absolute path
4012 in the \fIlpresume command\fR as the PATH may not
4013 be available to the server.
4015 See also the \fIprinting
4018 Default: Currently no default value is given
4019 to this string, unless the value of the \fIprinting\fR
4020 parameter is SYSV, in which case the default is :
4022 \fBlp -i %p-%j -H resume\fR
4024 or if the value of the \fIprinting\fR parameter
4025 is SOFTQ, then the default is:
4027 \fBqstat -s -j%j -r\fR
4029 Example for HPUX: \fBlpresume command = /usr/bin/lpalt
4032 \fBlprm command (S)\fR
4033 This parameter specifies the command to be
4034 executed on the server host in order to delete a print job.
4036 This command should be a program or script which takes
4037 a printer name and job number, and deletes the print job.
4039 If a \fI%p\fR is given then the printer name
4040 is put in its place. A \fI%j\fR is replaced with
4041 the job number (an integer).
4043 Note that it is good practice to include the absolute
4044 path in the \fIlprm command\fR as the PATH may not be
4045 available to the server.
4047 See also the \fIprinting
4050 Default: \fBdepends on the setting of \fIprinting
4052 Example 1: \fBlprm command = /usr/bin/lprm -P%p %j
4054 Example 2: \fBlprm command = /usr/bin/cancel %p-%j
4056 \fBmachine password timeout (G)\fR
4057 If a Samba server is a member of a Windows
4058 NT Domain (see the security = domain)
4059 parameter) then periodically a running smbd(8) process will try and change the MACHINE ACCOUNT
4060 PASSWORD stored in the TDB called \fIprivate/secrets.tdb
4061 \fR\&. This parameter specifies how often this password
4062 will be changed, in seconds. The default is one week (expressed in
4063 seconds), the same as a Windows NT Domain member server.
4065 See also \fBsmbpasswd(8)
4066 \fR and the security = domain) parameter.
4068 Default: \fBmachine password timeout = 604800\fR
4070 \fBmagic output (S)\fR
4071 This parameter specifies the name of a file
4072 which will contain output created by a magic script (see the
4076 Warning: If two clients use the same \fImagic script
4077 \fRin the same directory the output file content
4080 Default: \fBmagic output = <magic script name>.out
4082 Example: \fBmagic output = myfile.txt\fR
4084 \fBmagic script (S)\fR
4085 This parameter specifies the name of a file which,
4086 if opened, will be executed by the server when the file is closed.
4087 This allows a UNIX script to be sent to the Samba host and
4088 executed on behalf of the connected user.
4090 Scripts executed in this way will be deleted upon
4091 completion assuming that the user has the appropriate level
4092 of privilege and the file permissions allow the deletion.
4094 If the script generates output, output will be sent to
4095 the file specified by the \fI magic output\fR parameter (see above).
4097 Note that some shells are unable to interpret scripts
4098 containing CR/LF instead of CR as
4099 the end-of-line marker. Magic scripts must be executable
4100 \fBas is\fR on the host, which for some hosts and
4101 some shells will require filtering at the DOS end.
4103 Magic scripts are \fBEXPERIMENTAL\fR and
4104 should \fBNOT\fR be relied upon.
4106 Default: \fBNone. Magic scripts disabled.\fR
4108 Example: \fBmagic script = user.csh\fR
4110 \fBmangle case (S)\fR
4111 See the section on NAME MANGLING
4113 Default: \fBmangle case = no\fR
4115 \fBmangled map (S)\fR
4116 This is for those who want to directly map UNIX
4117 file names which cannot be represented on Windows/DOS. The mangling
4118 of names is not always what is needed. In particular you may have
4119 documents with file extensions that differ between DOS and UNIX.
4120 For example, under UNIX it is common to use \fI.html\fR
4121 for HTML files, whereas under Windows/DOS \fI.htm\fR
4122 is more commonly used.
4124 So to map \fIhtml\fR to \fIhtm\fR
4127 \fBmangled map = (*.html *.htm)\fR
4129 One very useful case is to remove the annoying \fI;1
4130 \fRoff the ends of filenames on some CDROMs (only visible
4131 under some UNIXes). To do this use a map of (*;1 *;).
4133 Default: \fBno mangled map\fR
4135 Example: \fBmangled map = (*;1 *;)\fR
4137 \fBmangled names (S)\fR
4138 This controls whether non-DOS names under UNIX
4139 should be mapped to DOS-compatible names ("mangled") and made visible,
4140 or whether non-DOS names should simply be ignored.
4142 See the section on NAME MANGLING for details on how to control the mangling process.
4144 If mangling algorithm "hash" is used then the mangling algorithm is as follows:
4148 The first (up to) five alphanumeric characters
4149 before the rightmost dot of the filename are preserved, forced
4150 to upper case, and appear as the first (up to) five characters
4151 of the mangled name.
4154 A tilde "~" is appended to the first part of the mangled
4155 name, followed by a two-character unique sequence, based on the
4156 original root name (i.e., the original filename minus its final
4157 extension). The final extension is included in the hash calculation
4158 only if it contains any upper case characters or is longer than three
4161 Note that the character to use may be specified using
4162 the \fImangling char\fR
4163 option, if you don't like '~'.
4166 The first three alphanumeric characters of the final
4167 extension are preserved, forced to upper case and appear as the
4168 extension of the mangled name. The final extension is defined as that
4169 part of the original filename after the rightmost dot. If there are no
4170 dots in the filename, the mangled name will have no extension (except
4171 in the case of "hidden files" - see below).
4174 Files whose UNIX name begins with a dot will be
4175 presented as DOS hidden files. The mangled name will be created as
4176 for other filenames, but with the leading dot removed and "___" as
4177 its extension regardless of actual original extension (that's three
4181 The two-digit hash value consists of upper case
4182 alphanumeric characters.
4185 This algorithm can cause name collisions only if files
4186 in a directory share the same first five alphanumeric characters.
4187 The probability of such a clash is 1/1300.
4190 If mangling algorithm "hash2" is used then the mangling algorithm is as follows:
4195 The first alphanumeric character
4196 before the rightmost dot of the filename is preserved, forced
4197 to upper case, and appears as the first character of the mangled name.
4200 A base63 hash of 5 characters is generated and the
4201 first 4 characters of that hash are appended to the first character.
4204 A tilde "~" is appended to the first part of the mangled
4205 name, followed by the final character of the base36 hash of the name.
4207 Note that the character to use may be specified using
4208 the \fImangling char\fR
4209 option, if you don't like '~'.
4212 The first three alphanumeric characters of the final
4213 extension are preserved, forced to upper case and appear as the
4214 extension of the mangled name. The final extension is defined as that
4215 part of the original filename after the rightmost dot. If there are no
4216 dots in the filename, the mangled name will have no extension (except
4217 in the case of "hidden files" - see below).
4220 Files whose UNIX name begins with a dot will be
4221 presented as DOS hidden files. The mangled name will be created as
4222 for other filenames, but with the leading dot removed and "___" as
4223 its extension regardless of actual original extension (that's three
4227 The name mangling (if enabled) allows a file to be
4228 copied between UNIX directories from Windows/DOS while retaining
4229 the long UNIX filename. UNIX files can be renamed to a new extension
4230 from Windows/DOS and will retain the same basename. Mangled names
4231 do not change between sessions.
4234 Default: \fBmangled names = yes\fR
4237 \fBmangled stack (G)\fR
4238 This parameter controls the number of mangled names
4239 that should be cached in the Samba server smbd(8)
4241 This stack is a list of recently mangled base names
4242 (extensions are only maintained if they are longer than 3 characters
4243 or contains upper case characters).
4245 The larger this value, the more likely it is that mangled
4246 names can be successfully converted to correct long UNIX names.
4247 However, large stack sizes will slow most directory accesses. Smaller
4248 stacks save memory in the server (each stack element costs 256 bytes).
4250 It is not possible to absolutely guarantee correct long
4251 filenames, so be prepared for some surprises!
4253 Default: \fBmangled stack = 50\fR
4255 Example: \fBmangled stack = 100\fR
4257 \fBmangling char (S)\fR
4258 This controls what character is used as
4259 the \fBmagic\fR character in name mangling. The default is a '~'
4260 but this may interfere with some software. Use this option to set
4261 it to whatever you prefer.
4263 Default: \fBmangling char = ~\fR
4265 Example: \fBmangling char = ^\fR
4267 \fBmangling mathod(G)\fR
4268 controls the algorithm used for the generating
4269 the mangled names. Can take two different values, "hash" and
4270 "hash2". "hash" is the default and is the algorithm that has been
4271 used in Samba for many years. "hash2" is a newer and considered
4272 a better algorithm (generates less collisions) in the names.
4273 However, many Win32 applications store the mangled names and so
4274 changing to the new algorithm must not be done
4275 lightly as these applications may break unless reinstalled.
4276 New installations of Samba may set the default to hash2.
4278 Default: \fBmangling method = hash\fR
4280 Example: \fBmangling method = hash2\fR
4282 \fBmap archive (S)\fR
4283 This controls whether the DOS archive attribute
4284 should be mapped to the UNIX owner execute bit. The DOS archive bit
4285 is set when a file has been modified since its last backup. One
4286 motivation for this option it to keep Samba/your PC from making
4287 any file it touches from becoming executable under UNIX. This can
4288 be quite annoying for shared source code, documents, etc...
4290 Note that this requires the \fIcreate mask\fR
4291 parameter to be set such that owner execute bit is not masked out
4292 (i.e. it must include 100). See the parameter \fIcreate mask\fR for details.
4294 Default: \fBmap archive = yes\fR
4296 \fBmap hidden (S)\fR
4297 This controls whether DOS style hidden files
4298 should be mapped to the UNIX world execute bit.
4300 Note that this requires the \fIcreate mask\fR
4301 to be set such that the world execute bit is not masked out (i.e.
4302 it must include 001). See the parameter \fIcreate mask\fR for details.
4304 Default: \fBmap hidden = no\fR
4306 \fBmap system (S)\fR
4307 This controls whether DOS style system files
4308 should be mapped to the UNIX group execute bit.
4310 Note that this requires the \fIcreate mask\fR
4311 to be set such that the group execute bit is not masked out (i.e.
4312 it must include 010). See the parameter \fIcreate mask\fR for details.
4314 Default: \fBmap system = no\fR
4316 \fBmap to guest (G)\fR
4317 This parameter is only useful in security modes other than \fIsecurity = share\fR
4318 - i.e. user, server,
4321 This parameter can take three different values, which tell
4322 smbd(8) what to do with user
4323 login requests that don't match a valid UNIX user in some way.
4325 The three settings are :
4329 Never - Means user login
4330 requests with an invalid password are rejected. This is the
4334 Bad User - Means user
4335 logins with an invalid password are rejected, unless the username
4336 does not exist, in which case it is treated as a guest login and
4337 mapped into the \fI guest account\fR.
4340 Bad Password - Means user logins
4341 with an invalid password are treated as a guest login and mapped
4342 into the guest account. Note that
4343 this can cause problems as it means that any user incorrectly typing
4344 their password will be silently logged on as "guest" - and
4345 will not know the reason they cannot access files they think
4346 they should - there will have been no message given to them
4347 that they got their password wrong. Helpdesk services will
4348 \fBhate\fR you if you set the \fImap to
4349 guest\fR parameter this way :-).
4352 Note that this parameter is needed to set up "Guest"
4353 share services when using \fIsecurity\fR modes other than
4354 share. This is because in these modes the name of the resource being
4355 requested is \fBnot\fR sent to the server until after
4356 the server has successfully authenticated the client so the server
4357 cannot make authentication decisions at the correct time (connection
4358 to the share) for "Guest" shares.
4361 For people familiar with the older Samba releases, this
4362 parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.
4365 Default: \fBmap to guest = Never\fR
4368 Example: \fBmap to guest = Bad User\fR
4371 \fBmax connections (S)\fR
4372 This option allows the number of simultaneous
4373 connections to a service to be limited. If \fImax connections
4374 \fRis greater than 0 then connections will be refused if
4375 this number of connections to the service are already open. A value
4376 of zero mean an unlimited number of connections may be made.
4378 Record lock files are used to implement this feature. The
4379 lock files will be stored in the directory specified by the \fIlock directory\fR
4382 Default: \fBmax connections = 0\fR
4384 Example: \fBmax connections = 10\fR
4386 \fBmax disk size (G)\fR
4387 This option allows you to put an upper limit
4388 on the apparent size of disks. If you set this option to 100
4389 then all shares will appear to be not larger than 100 MB in
4392 Note that this option does not limit the amount of
4393 data you can put on the disk. In the above case you could still
4394 store much more than 100 MB on the disk, but if a client ever asks
4395 for the amount of free disk space or the total disk size then the
4396 result will be bounded by the amount specified in \fImax
4399 This option is primarily useful to work around bugs
4400 in some pieces of software that can't handle very large disks,
4401 particularly disks over 1GB in size.
4403 A \fImax disk size\fR of 0 means no limit.
4405 Default: \fBmax disk size = 0\fR
4407 Example: \fBmax disk size = 1000\fR
4409 \fBmax log size (G)\fR
4410 This option (an integer in kilobytes) specifies
4411 the max size the log file should grow to. Samba periodically checks
4412 the size and if it is exceeded it will rename the file, adding
4413 a \fI.old\fR extension.
4415 A size of 0 means no limit.
4417 Default: \fBmax log size = 5000\fR
4419 Example: \fBmax log size = 1000\fR
4422 This option controls the maximum number of
4423 outstanding simultaneous SMB operations that Samba tells the client
4424 it will allow. You should never need to set this parameter.
4426 Default: \fBmax mux = 50\fR
4428 \fBmax open files (G)\fR
4429 This parameter limits the maximum number of
4430 open files that one smbd(8) file
4431 serving process may have open for a client at any one time. The
4432 default for this parameter is set very high (10,000) as Samba uses
4433 only one bit per unopened file.
4435 The limit of the number of open files is usually set
4436 by the UNIX per-process file descriptor limit rather than
4437 this parameter so you should never need to touch this parameter.
4439 Default: \fBmax open files = 10000\fR
4441 \fBmax print jobs (S)\fR
4442 This parameter limits the maximum number of
4443 jobs allowable in a Samba printer queue at any given moment.
4444 If this number is exceeded, \fB smbd(8)\fR will remote "Out of Space" to the client.
4448 Default: \fBmax print jobs = 1000\fR
4450 Example: \fBmax print jobs = 5000\fR
4452 \fBmax protocol (G)\fR
4453 The value of the parameter (a string) is the highest
4454 protocol level that will be supported by the server.
4456 Possible values are :
4460 CORE: Earliest version. No
4461 concept of user names.
4464 COREPLUS: Slight improvements on
4465 CORE for efficiency.
4468 LANMAN1: First \fB modern\fR version of the protocol. Long filename
4472 LANMAN2: Updates to Lanman1 protocol.
4475 NT1: Current up to date version of
4476 the protocol. Used by Windows NT. Known as CIFS.
4479 Normally this option should not be set as the automatic
4480 negotiation phase in the SMB protocol takes care of choosing
4481 the appropriate protocol.
4488 Default: \fBmax protocol = NT1\fR
4491 Example: \fBmax protocol = LANMAN1\fR
4494 \fBmax smbd processes (G)\fR
4495 This parameter limits the maximum number of
4497 processes concurrently running on a system and is intended
4498 as a stopgap to prevent degrading service to clients in the event
4499 that the server has insufficient resources to handle more than this
4500 number of connections. Remember that under normal operating
4501 conditions, each user will have an smbd associated with him or her
4502 to handle connections to all shares from a given host.
4504 Default: \fBmax smbd processes = 0\fR ## no limit
4506 Example: \fBmax smbd processes = 1000\fR
4509 This option tells nmbd(8)
4510 what the default 'time to live' of NetBIOS names should be (in seconds)
4511 when \fBnmbd\fR is requesting a name using either a
4512 broadcast packet or from a WINS server. You should never need to
4513 change this parameter. The default is 3 days.
4515 Default: \fBmax ttl = 259200\fR
4517 \fBmax wins ttl (G)\fR
4518 This option tells nmbd(8)
4519 when acting as a WINS server ( \fIwins support = yes\fR) what the maximum
4520 \&'time to live' of NetBIOS names that \fBnmbd\fR
4521 will grant will be (in seconds). You should never need to change this
4522 parameter. The default is 6 days (518400 seconds).
4525 wins ttl\fR parameter.
4527 Default: \fBmax wins ttl = 518400\fR
4530 This option controls the maximum packet size
4531 that will be negotiated by Samba. The default is 65535, which
4532 is the maximum. In some cases you may find you get better performance
4533 with a smaller value. A value below 2048 is likely to cause problems.
4535 Default: \fBmax xmit = 65535\fR
4537 Example: \fBmax xmit = 8192\fR
4539 \fBmessage command (G)\fR
4540 This specifies what command to run when the
4541 server receives a WinPopup style message.
4543 This would normally be a command that would
4544 deliver the message somehow. How this is to be done is
4545 up to your imagination.
4549 \fBmessage command = csh -c 'xedit %s;rm %s' &\fR
4551 This delivers the message using \fBxedit\fR, then
4552 removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT
4553 THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I
4554 have the '&' on the end. If it doesn't return immediately then
4555 your PCs may freeze when sending messages (they should recover
4556 after 30 seconds, hopefully).
4558 All messages are delivered as the global guest user.
4559 The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better
4562 Apart from the standard substitutions, some additional
4563 ones apply. In particular:
4567 \fI%s\fR = the filename containing
4571 \fI%t\fR = the destination that
4572 the message was sent to (probably the server name).
4575 \fI%f\fR = who the message
4579 You could make this command send mail, or whatever else
4580 takes your fancy. Please let us know of any really interesting
4584 Here's a way of sending the messages as mail to root:
4587 \fBmessage command = /bin/mail -s 'message from %f on
4588 %m' root < %s; rm %s\fR
4591 If you don't have a message command then the message
4592 won't be delivered and Samba will tell the sender there was
4593 an error. Unfortunately WfWg totally ignores the error code
4594 and carries on regardless, saying that the message was delivered.
4597 If you want to silently delete it then try:
4600 \fBmessage command = rm %s\fR
4603 Default: \fBno message command\fR
4606 Example: \fBmessage command = csh -c 'xedit %s;
4610 \fBmin passwd length (G)\fR
4611 Synonym for \fImin password length\fR.
4613 \fBmin password length (G)\fR
4614 This option sets the minimum length in characters
4615 of a plaintext password that \fBsmbd\fR will accept when performing
4616 UNIX password changing.
4619 password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR
4622 Default: \fBmin password length = 5\fR
4624 \fBmin print space (S)\fR
4625 This sets the minimum amount of free disk
4626 space that must be available before a user will be able to spool
4627 a print job. It is specified in kilobytes. The default is 0, which
4628 means a user can always spool a print job.
4630 See also the \fIprinting
4633 Default: \fBmin print space = 0\fR
4635 Example: \fBmin print space = 2000\fR
4637 \fBmin protocol (G)\fR
4638 The value of the parameter (a string) is the
4639 lowest SMB protocol dialect than Samba will support. Please refer
4640 to the \fImax protocol\fR
4641 parameter for a list of valid protocol names and a brief description
4642 of each. You may also wish to refer to the C source code in
4643 \fIsource/smbd/negprot.c\fR for a listing of known protocol
4644 dialects supported by clients.
4646 If you are viewing this parameter as a security measure, you should
4647 also refer to the \fIlanman
4648 auth\fR parameter. Otherwise, you should never need
4649 to change this parameter.
4651 Default : \fBmin protocol = CORE\fR
4653 Example : \fBmin protocol = NT1\fR # disable DOS
4656 \fBmin wins ttl (G)\fR
4657 This option tells nmbd(8)
4658 when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live'
4659 of NetBIOS names that \fBnmbd\fR will grant will be (in
4660 seconds). You should never need to change this parameter. The default
4661 is 6 hours (21600 seconds).
4663 Default: \fBmin wins ttl = 21600\fR
4665 \fBmsdfs root (S)\fR
4666 This boolean parameter is only available if
4667 Samba is configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
4668 Samba treats the share as a Dfs root and allows clients to browse
4669 the distributed file system tree rooted at the share directory.
4670 Dfs links are specified in the share directory by symbolic
4671 links of the form \fImsdfs:serverA\\shareA,serverB\\shareB
4672 \fRand so on. For more information on setting up a Dfs tree
4673 on Samba, refer to msdfs_setup.html
4676 See also \fIhost msdfs
4678 Default: \fBmsdfs root = no\fR
4680 \fBname resolve order (G)\fR
4681 This option is used by the programs in the Samba
4682 suite to determine what naming services to use and in what order
4683 to resolve host names to IP addresses. The option takes a space
4684 separated string of name resolution options.
4686 The options are :"lmhosts", "host", "wins" and "bcast". They
4687 cause names to be resolved as follows :
4691 lmhosts : Lookup an IP
4692 address in the Samba lmhosts file. If the line in lmhosts has
4693 no name type attached to the NetBIOS name (see the lmhosts(5) for details) then
4694 any name type matches for lookup.
4697 host : Do a standard host
4698 name to IP address resolution, using the system \fI/etc/hosts
4699 \fR, NIS, or DNS lookups. This method of name resolution
4700 is operating system depended for instance on IRIX or Solaris this
4701 may be controlled by the \fI/etc/nsswitch.conf\fR
4702 file. Note that this method is only used if the NetBIOS name
4703 type being queried is the 0x20 (server) name type, otherwise
4707 wins : Query a name with
4708 the IP address listed in the \fI wins server\fR parameter. If no WINS server has
4709 been specified this method will be ignored.
4712 bcast : Do a broadcast on
4713 each of the known local interfaces listed in the \fIinterfaces\fR
4714 parameter. This is the least reliable of the name resolution
4715 methods as it depends on the target host being on a locally
4719 Default: \fBname resolve order = lmhosts host wins bcast
4722 Example: \fBname resolve order = lmhosts bcast host
4725 This will cause the local lmhosts file to be examined
4726 first, followed by a broadcast attempt, followed by a normal
4727 system hostname lookup.
4730 \fBnetbios aliases (G)\fR
4731 This is a list of NetBIOS names that nmbd(8) will advertise as additional
4732 names by which the Samba server is known. This allows one machine
4733 to appear in browse lists under multiple names. If a machine is
4734 acting as a browse server or logon server none
4735 of these names will be advertised as either browse server or logon
4736 servers, only the primary name of the machine will be advertised
4737 with these capabilities.
4742 Default: \fBempty string (no additional names)\fR
4744 Example: \fBnetbios aliases = TEST TEST1 TEST2\fR
4746 \fBnetbios name (G)\fR
4747 This sets the NetBIOS name by which a Samba
4748 server is known. By default it is the same as the first component
4749 of the host's DNS name. If a machine is a browse server or
4750 logon server this name (or the first component
4751 of the hosts DNS name) will be the name that these services are
4757 Default: \fBmachine DNS name\fR
4759 Example: \fBnetbios name = MYNAME\fR
4761 \fBnetbios scope (G)\fR
4762 This sets the NetBIOS scope that Samba will
4763 operate under. This should not be set unless every machine
4764 on your LAN also sets this value.
4766 \fBnis homedir (G)\fR
4767 Get the home share server from a NIS map. For
4768 UNIX systems that use an automounter, the user's home directory
4769 will often be mounted on a workstation on demand from a remote
4772 When the Samba logon server is not the actual home directory
4773 server, but is mounting the home directories via NFS then two
4774 network hops would be required to access the users home directory
4775 if the logon server told the client to use itself as the SMB server
4776 for home directories (one over SMB and one over NFS). This can
4779 This option allows Samba to return the home share as
4780 being on a different server to the logon server and as
4781 long as a Samba daemon is running on the home directory server,
4782 it will be mounted on the Samba client directly from the directory
4783 server. When Samba is returning the home share to the client, it
4784 will consult the NIS map specified in \fIhomedir map\fR and return the server
4787 Note that for this option to work there must be a working
4788 NIS system and the Samba server with this option must also
4791 Default: \fBnis homedir = no\fR
4793 \fBnt acl support (S)\fR
4794 This boolean parameter controls whether
4795 smbd(8) will attempt to map
4796 UNIX permissions into Windows NT access control lists.
4797 This parameter was formally a global parameter in releases
4800 Default: \fBnt acl support = yes\fR
4802 \fBnt pipe support (G)\fR
4803 This boolean parameter controls whether
4804 smbd(8) will allow Windows NT
4805 clients to connect to the NT SMB specific IPC$
4806 pipes. This is a developer debugging option and can be left
4809 Default: \fBnt pipe support = yes\fR
4811 \fBnt smb support (G)\fR
4812 This boolean parameter controls whether smbd(8) will negotiate NT specific SMB
4813 support with Windows NT/2k/XP clients. Although this is a developer
4814 debugging option and should be left alone, benchmarking has discovered
4815 that Windows NT clients give faster performance with this option
4816 set to no. This is still being investigated.
4817 If this option is set to no then Samba offers
4818 exactly the same SMB calls that versions prior to Samba 2.0 offered.
4819 This information may be of use if any users are having problems
4820 with NT SMB support.
4822 You should not need to ever disable this parameter.
4824 Default: \fBnt smb support = yes\fR
4826 \fBnt status support (G)\fR
4827 This boolean parameter controls whether smbd(8) will negotiate NT specific status
4828 support with Windows NT/2k/XP clients. This is a developer
4829 debugging option and should be left alone.
4830 If this option is set to no then Samba offers
4831 exactly the same DOS error codes that versions prior to Samba 2.2.3
4834 You should not need to ever disable this parameter.
4836 Default: \fBnt status support = yes\fR
4838 \fBnull passwords (G)\fR
4839 Allow or disallow client access to accounts
4840 that have null passwords.
4842 See also smbpasswd (5)
4844 Default: \fBnull passwords = no\fR
4846 \fBobey pam restrictions (G)\fR
4847 When Samba 2.2 is configured to enable PAM support
4848 (i.e. --with-pam), this parameter will control whether or not Samba
4849 should obey PAM's account and session management directives. The
4850 default behavior is to use PAM for clear text authentication only
4851 and to ignore any account or session management. Note that Samba
4852 always ignores PAM for authentication in the case of \fIencrypt passwords = yes\fR
4853 \&. The reason is that PAM modules cannot support the challenge/response
4854 authentication mechanism needed in the presence of SMB password encryption.
4856 Default: \fBobey pam restrictions = no\fR
4859 This is a boolean option that controls whether
4860 connections with usernames not in the \fIuser\fR
4861 list will be allowed. By default this option is disabled so that a
4862 client can supply a username to be used by the server. Enabling
4863 this parameter will force the server to only user the login
4864 names from the \fIuser\fR list and is only really
4865 useful in shave level
4868 Note that this also means Samba won't try to deduce
4869 usernames from the service name. This can be annoying for
4870 the [homes] section. To get around this you could use \fBuser =
4871 %S\fR which means your \fIuser\fR list
4872 will be just the service name, which for home directories is the
4875 See also the \fIuser\fR
4878 Default: \fBonly user = no\fR
4880 \fBonly guest (S)\fR
4881 A synonym for \fI guest only\fR.
4883 \fBoplock break wait time (G)\fR
4884 This is a tuning parameter added due to bugs in
4885 both Windows 9x and WinNT. If Samba responds to a client too
4886 quickly when that client issues an SMB that can cause an oplock
4887 break request, then the network client can fail and not respond
4888 to the break request. This tuning parameter (which is set in milliseconds)
4889 is the amount of time Samba will wait before sending an oplock break
4890 request to such (broken) clients.
4892 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4893 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4895 Default: \fBoplock break wait time = 0\fR
4897 \fBoplock contention limit (S)\fR
4898 This is a \fBvery\fR advanced
4899 smbd(8) tuning option to
4900 improve the efficiency of the granting of oplocks under multiple
4901 client contention for the same file.
4903 In brief it specifies a number, which causes smbd not to
4904 grant an oplock even when requested if the approximate number of
4905 clients contending for an oplock on the same file goes over this
4906 limit. This causes \fBsmbd\fR to behave in a similar
4909 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4910 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4912 Default: \fBoplock contention limit = 2\fR
4915 This boolean option tells \fBsmbd\fR whether to
4916 issue oplocks (opportunistic locks) to file open requests on this
4917 share. The oplock code can dramatically (approx. 30% or more) improve
4918 the speed of access to files on Samba servers. It allows the clients
4919 to aggressively cache files locally and you may want to disable this
4920 option for unreliable network environments (it is turned on by
4921 default in Windows NT Servers). For more information see the file
4922 \fISpeed.txt\fR in the Samba \fIdocs/\fR
4925 Oplocks may be selectively turned off on certain files with a
4926 share. See the \fI veto oplock files\fR parameter. On some systems
4927 oplocks are recognized by the underlying operating system. This
4928 allows data synchronization between all access to oplocked files,
4929 whether it be via Samba or NFS or a local UNIX process. See the
4930 \fIkernel oplocks\fR parameter for details.
4932 See also the \fIkernel
4933 oplocks\fR and \fI level2 oplocks\fR parameters.
4935 Default: \fBoplocks = yes\fR
4938 This integer value controls what level Samba
4939 advertises itself as for browse elections. The value of this
4940 parameter determines whether nmbd(8)
4941 has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area.
4943 \fBNote :\fRBy default, Samba will win
4944 a local master browsing election over all Microsoft operating
4945 systems except a Windows NT 4.0/2000 Domain Controller. This
4946 means that a misconfigured Samba host can effectively isolate
4947 a subnet for browsing purposes. See \fIBROWSING.txt
4948 \fRin the Samba \fIdocs/\fR directory
4951 Default: \fBos level = 20\fR
4953 Example: \fBos level = 65 \fR
4955 \fBos2 driver map (G)\fR
4956 The parameter is used to define the absolute
4957 path to a file containing a mapping of Windows NT printer driver
4958 names to OS/2 printer driver names. The format is:
4960 <nt driver name> = <os2 driver
4963 For example, a valid entry using the HP LaserJet 5
4964 printer driver would appear as \fBHP LaserJet 5L = LASERJET.HP
4967 The need for the file is due to the printer driver namespace
4968 problem described in the Samba
4969 Printing HOWTO For more details on OS/2 clients, please
4970 refer to the OS2-Client-HOWTO
4971 containing in the Samba documentation.
4973 Default: \fBos2 driver map = <empty string>
4975 \fBpam password change (G)\fR
4976 With the addition of better PAM support in Samba 2.2,
4977 this parameter, it is possible to use PAM's password change control
4978 flag for Samba. If enabled, then PAM will be used for password
4979 changes when requested by an SMB client instead of the program listed in
4980 \fIpasswd program\fR.
4981 It should be possible to enable this without changing your
4983 parameter for most setups.
4985 Default: \fBpam password change = no\fR
4987 \fBpanic action (G)\fR
4988 This is a Samba developer option that allows a
4989 system command to be called when either smbd(8)
4990 crashes. This is usually used to draw attention to the fact that
4993 Default: \fBpanic action = <empty string>\fR
4995 Example: \fBpanic action = "/bin/sleep 90000"\fR
4997 \fBpasswd chat (G)\fR
4998 This string controls the \fB"chat"\fR
4999 conversation that takes places between smbd and the local password changing
5000 program to change the user's password. The string describes a
5001 sequence of response-receive pairs that smbd(8) uses to determine what to send to the
5002 \fIpasswd program\fR
5003 and what to expect back. If the expected output is not
5004 received then the password is not changed.
5006 This chat sequence is often quite site specific, depending
5007 on what local methods are used for password control (such as NIS
5010 Note that this parameter only is only used if the \fIunix
5011 password sync\fR parameter is set to yes. This
5012 sequence is then called \fBAS ROOT\fR when the SMB password
5013 in the smbpasswd file is being changed, without access to the old
5014 password cleartext. This means that root must be able to reset the user's password
5015 without knowing the text of the previous password. In the presence of NIS/YP,
5016 this means that the passwd program must be
5017 executed on the NIS master.
5019 The string can contain the macro \fI%n\fR which is substituted
5020 for the new password. The chat sequence can also contain the standard
5021 macros \\n, \\r, \\t and \\s to give line-feed,
5022 carriage-return, tab and space. The chat sequence string can also contain
5023 a '*' which matches any sequence of characters.
5024 Double quotes can be used to collect strings with spaces
5025 in them into a single string.
5027 If the send string in any part of the chat sequence
5028 is a full stop ".", then no string is sent. Similarly,
5029 if the expect string is a full stop then no string is expected.
5032 password change\fR parameter is set to yes, the chat pairs
5033 may be matched in any order, and success is determined by the PAM result,
5034 not any particular output. The \\n macro is ignored for PAM conversions.
5036 See also \fIunix password
5037 sync\fR, \fI passwd program\fR , \fIpasswd chat debug\fR and \fIpam password change\fR.
5039 Default: \fBpasswd chat = *new*password* %n\\n
5040 *new*password* %n\\n *changed*\fR
5042 Example: \fBpasswd chat = "*Enter OLD password*" %o\\n
5043 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password
5046 \fBpasswd chat debug (G)\fR
5047 This boolean specifies if the passwd chat script
5048 parameter is run in \fBdebug\fR mode. In this mode the
5049 strings passed to and received from the passwd chat are printed
5050 in the smbd(8) log with a
5052 of 100. This is a dangerous option as it will allow plaintext passwords
5053 to be seen in the \fBsmbd\fR log. It is available to help
5054 Samba admins debug their \fIpasswd chat\fR scripts
5055 when calling the \fIpasswd program\fR and should
5056 be turned off after this has been done. This option has no effect if the
5057 \fIpam password change\fR
5058 paramter is set. This parameter is off by default.
5060 See also \fIpasswd chat\fR
5061 , \fIpam password change\fR
5062 , \fIpasswd program\fR
5065 Default: \fBpasswd chat debug = no\fR
5067 \fBpasswd program (G)\fR
5068 The name of a program that can be used to set
5069 UNIX user passwords. Any occurrences of \fI%u\fR
5070 will be replaced with the user name. The user name is checked for
5071 existence before calling the password changing program.
5073 Also note that many passwd programs insist in \fBreasonable
5074 \fRpasswords, such as a minimum length, or the inclusion
5075 of mixed case chars and digits. This can pose a problem as some clients
5076 (such as Windows for Workgroups) uppercase the password before sending
5079 \fBNote\fR that if the \fIunix
5080 password sync\fR parameter is set to yes
5081 then this program is called \fBAS ROOT\fR
5082 before the SMB password in the smbpasswd(5)
5083 file is changed. If this UNIX password change fails, then
5084 \fBsmbd\fR will fail to change the SMB password also
5085 (this is by design).
5087 If the \fIunix password sync\fR parameter
5088 is set this parameter \fBMUST USE ABSOLUTE PATHS\fR
5089 for \fBALL\fR programs called, and must be examined
5090 for security implications. Note that by default \fIunix
5091 password sync\fR is set to no.
5096 Default: \fBpasswd program = /bin/passwd\fR
5098 Example: \fBpasswd program = /sbin/npasswd %u\fR
5100 \fBpassword level (G)\fR
5101 Some client/server combinations have difficulty
5102 with mixed-case passwords. One offending client is Windows for
5103 Workgroups, which for some reason forces passwords to upper
5104 case when using the LANMAN1 protocol, but leaves them alone when
5105 using COREPLUS! Another problem child is the Windows 95/98
5106 family of operating systems. These clients upper case clear
5107 text passwords even when NT LM 0.12 selected by the protocol
5108 negotiation request/response.
5110 This parameter defines the maximum number of characters
5111 that may be upper case in passwords.
5113 For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations
5114 would be tried if "FRED" failed:
5116 "Fred", "fred", "fRed", "frEd","freD"
5118 If \fIpassword level\fR was set to 2,
5119 the following combinations would also be tried:
5121 "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
5125 The higher value this parameter is set to the more likely
5126 it is that a mixed case password will be matched against a single
5127 case password. However, you should be aware that use of this
5128 parameter reduces security and increases the time taken to
5129 process a new connection.
5131 A value of zero will cause only two attempts to be
5132 made - the password as is and the password in all-lower case.
5134 Default: \fBpassword level = 0\fR
5136 Example: \fBpassword level = 4\fR
5138 \fBpassword server (G)\fR
5139 By specifying the name of another SMB server (such
5140 as a WinNT box) with this option, and using \fBsecurity = domain
5141 \fRor \fBsecurity = server\fR you can get Samba
5142 to do all its username/password validation via a remote server.
5144 This option sets the name of the password server to use.
5145 It must be a NetBIOS name, so if the machine's NetBIOS name is
5146 different from its Internet name then you may have to add its NetBIOS
5147 name to the lmhosts file which is stored in the same directory
5148 as the \fIsmb.conf\fR file.
5150 The name of the password server is looked up using the
5152 resolve order\fR and so may resolved
5153 by any method and order described in that parameter.
5155 The password server much be a machine capable of using
5156 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
5157 user level security mode.
5159 \fBNOTE:\fR Using a password server
5160 means your UNIX box (running Samba) is only as secure as your
5161 password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT
5162 YOU DON'T COMPLETELY TRUST\fR.
5164 Never point a Samba server at itself for password
5165 serving. This will cause a loop and could lock up your Samba
5168 The name of the password server takes the standard
5169 substitutions, but probably the only useful one is \fI%m
5170 \fR, which means the Samba server will use the incoming
5171 client as the password server. If you use this then you better
5172 trust your clients, and you had better restrict them with hosts allow!
5174 If the \fIsecurity\fR parameter is set to
5175 domain, then the list of machines in this
5176 option must be a list of Primary or Backup Domain controllers for the
5177 Domain or the character '*', as the Samba server is effectively
5178 in that domain, and will use cryptographically authenticated RPC calls
5179 to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the
5180 \fIpassword server\fR option then \fBsmbd
5181 \fRwill try each in turn till it finds one that responds. This
5182 is useful in case your primary server goes down.
5184 If the \fIpassword server\fR option is set
5185 to the character '*', then Samba will attempt to auto-locate the
5186 Primary or Backup Domain controllers to authenticate against by
5187 doing a query for the name WORKGROUP<1C>
5188 and then contacting each server returned in the list of IP
5189 addresses from the name resolution source.
5191 If the \fIsecurity\fR parameter is
5192 set to server, then there are different
5193 restrictions that \fBsecurity = domain\fR doesn't
5198 You may list several password servers in
5199 the \fIpassword server\fR parameter, however if an
5200 \fBsmbd\fR makes a connection to a password server,
5201 and then the password server fails, no more users will be able
5202 to be authenticated from this \fBsmbd\fR. This is a
5203 restriction of the SMB/CIFS protocol when in \fBsecurity = server
5204 \fRmode and cannot be fixed in Samba.
5207 If you are using a Windows NT server as your
5208 password server then you will have to ensure that your users
5209 are able to login from the Samba server, as when in \fB security = server\fR mode the network logon will appear to
5210 come from there rather than from the users workstation.
5213 See also the \fIsecurity
5217 Default: \fBpassword server = <empty string>\fR
5220 Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2
5223 Example: \fBpassword server = *\fR
5227 This parameter specifies a directory to which
5228 the user of the service is to be given access. In the case of
5229 printable services, this is where print data will spool prior to
5230 being submitted to the host for printing.
5232 For a printable service offering guest access, the service
5233 should be readonly and the path should be world-writeable and
5234 have the sticky bit set. This is not mandatory of course, but
5235 you probably won't get the results you expect if you do
5238 Any occurrences of \fI%u\fR in the path
5239 will be replaced with the UNIX username that the client is using
5240 on this connection. Any occurrences of \fI%m\fR
5241 will be replaced by the NetBIOS name of the machine they are
5242 connecting from. These replacements are very useful for setting
5243 up pseudo home directories for users.
5245 Note that this path will be based on \fIroot dir\fR if one was specified.
5249 Example: \fBpath = /home/fred\fR
5251 \fBpid directory (G)\fR
5252 This option specifies the directory where pid
5253 files will be placed.
5255 Default: \fBpid directory = ${prefix}/var/locks\fR
5257 Example: \fBpid directory = /var/run/\fR
5259 \fBposix locking (S)\fR
5261 daemon maintains an database of file locks obtained by SMB clients.
5262 The default behavior is to map this internal database to POSIX
5263 locks. This means that file locks obtained by SMB clients are
5264 consistent with those seen by POSIX compliant applications accessing
5265 the files via a non-SMB method (e.g. NFS or local file access).
5266 You should never need to disable this parameter.
5268 Default: \fBposix locking = yes\fR
5271 This option specifies a command to be run
5272 whenever the service is disconnected. It takes the usual
5273 substitutions. The command may be run as the root on some
5276 An interesting example may be to unmount server
5279 \fBpostexec = /etc/umount /cdrom\fR
5281 See also \fIpreexec\fR
5284 Default: \fBnone (no command executed)\fR
5286 Example: \fBpostexec = echo \\"%u disconnected from %S
5287 from %m (%I)\\" >> /tmp/log\fR
5289 \fBpostscript (S)\fR
5290 This parameter forces a printer to interpret
5291 the print files as PostScript. This is done by adding a %!
5292 to the start of print output.
5294 This is most useful when you have lots of PCs that persist
5295 in putting a control-D at the start of print jobs, which then
5296 confuses your printer.
5298 Default: \fBpostscript = no\fR
5301 This option specifies a command to be run whenever
5302 the service is connected to. It takes the usual substitutions.
5304 An interesting example is to send the users a welcome
5305 message every time they log in. Maybe a message of the day? Here
5308 \fBpreexec = csh -c 'echo \\"Welcome to %S!\\" |
5309 /usr/local/samba/bin/smbclient -M %m -I %I' & \fR
5311 Of course, this could get annoying after a while :-)
5313 See also \fIpreexec close
5317 Default: \fBnone (no command executed)\fR
5319 Example: \fBpreexec = echo \\"%u connected to %S from %m
5320 (%I)\\" >> /tmp/log\fR
5322 \fBpreexec close (S)\fR
5323 This boolean option controls whether a non-zero
5324 return code from \fIpreexec
5325 \fRshould close the service being connected to.
5327 Default: \fBpreexec close = no\fR
5329 \fBpreferred master (G)\fR
5330 This boolean parameter controls if nmbd(8) is a preferred master browser
5333 If this is set to yes, on startup, \fBnmbd\fR
5334 will force an election, and it will have a slight advantage in
5335 winning the election. It is recommended that this parameter is
5336 used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master.
5338 Use this option with caution, because if there are several
5339 hosts (whether Samba servers, Windows 95 or NT) that are preferred
5340 master browsers on the same subnet, they will each periodically
5341 and continuously attempt to become the local master browser.
5342 This will result in unnecessary broadcast traffic and reduced browsing
5345 See also \fIos level\fR
5348 Default: \fBpreferred master = auto\fR
5350 \fBprefered master (G)\fR
5351 Synonym for \fI preferred master\fR for people who cannot spell :-).
5354 This is a list of services that you want to be
5355 automatically added to the browse lists. This is most useful
5356 for homes and printers services that would otherwise not be
5359 Note that if you just want all printers in your
5360 printcap file loaded then the \fIload printers\fR option is easier.
5362 Default: \fBno preloaded services\fR
5364 Example: \fBpreload = fred lp colorlp\fR
5366 \fBpreserve case (S)\fR
5367 This controls if new filenames are created
5368 with the case that the client passes, or if they are forced to
5369 be the \fIdefault case
5372 Default: \fBpreserve case = yes\fR
5374 See the section on NAME
5375 MANGLING for a fuller discussion.
5377 \fBprint command (S)\fR
5378 After a print job has finished spooling to
5379 a service, this command will be used via a \fBsystem()\fR
5380 call to process the spool file. Typically the command specified will
5381 submit the spool file to the host's printing subsystem, but there
5382 is no requirement that this be the case. The server will not remove
5383 the spool file, so whatever command you specify should remove the
5384 spool file when it has been processed, otherwise you will need to
5385 manually remove old spool files.
5387 The print command is simply a text string. It will be used
5388 verbatim after macro substitutions have been made:
5390 s, %p - the path to the spool
5393 %p - the appropriate printer
5397 name as transmitted by the client.
5399 %c - The number of printed pages
5400 of the spooled job (if known).
5402 %z - the size of the spooled
5403 print job (in bytes)
5405 The print command \fBMUST\fR contain at least
5406 one occurrence of \fI%s\fR or \fI%f
5407 \fR- the \fI%p\fR is optional. At the time
5408 a job is submitted, if no printer name is supplied the \fI%p
5409 \fRwill be silently removed from the printer command.
5411 If specified in the [global] section, the print command given
5412 will be used for any printable service that does not have its own
5413 print command specified.
5415 If there is neither a specified print command for a
5416 printable service nor a global print command, spool files will
5417 be created but not processed and (most importantly) not removed.
5419 Note that printing may fail on some UNIXes from the
5420 nobody account. If this happens then create
5421 an alternative guest account that can print and set the \fIguest account\fR
5422 in the [global] section.
5424 You can form quite complex print commands by realizing
5425 that they are just passed to a shell. For example the following
5426 will log a print job, print the file, then remove it. Note that
5427 \&';' is the usual separator for command in shell scripts.
5429 \fBprint command = echo Printing %s >>
5430 /tmp/print.log; lpr -P %p %s; rm %s\fR
5432 You may have to vary this command considerably depending
5433 on how you normally print files on your system. The default for
5434 the parameter varies depending on the setting of the \fIprinting\fR parameter.
5436 Default: For \fBprinting = BSD, AIX, QNX, LPRNG
5439 \fBprint command = lpr -r -P%p %s\fR
5441 For \fBprinting = SYSV or HPUX :\fR
5443 \fBprint command = lp -c -d%p %s; rm %s\fR
5445 For \fBprinting = SOFTQ :\fR
5447 \fBprint command = lp -d%p -s %s; rm %s\fR
5449 For printing = CUPS : If SAMBA is compiled against
5450 libcups, then printcap = cups
5451 uses the CUPS API to
5452 submit jobs, etc. Otherwise it maps to the System V
5453 commands with the -oraw option for printing, i.e. it
5454 uses \fBlp -c -d%p -oraw; rm %s\fR.
5455 With \fBprinting = cups\fR,
5456 and if SAMBA is compiled against libcups, any manually
5457 set print command will be ignored.
5459 Example: \fBprint command = /usr/local/samba/bin/myprintscript
5463 Synonym for \fIprintable\fR.
5466 If this parameter is yes, then
5467 clients may open, write to and submit spool files on the directory
5468 specified for the service.
5470 Note that a printable service will ALWAYS allow writing
5471 to the service path (user privileges permitting) via the spooling
5472 of print data. The \fIread only
5473 \fRparameter controls only non-printing access to
5476 Default: \fBprintable = no\fR
5479 Synonym for \fI printcap name\fR.
5481 \fBprintcap name (G)\fR
5482 This parameter may be used to override the
5483 compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons
5484 why you might want to do this.
5486 To use the CUPS printing interface set \fBprintcap name = cups
5487 \fR\&. This should be supplemented by an addtional setting
5488 printing = cups in the [global]
5489 section. \fBprintcap name = cups\fR will use the
5490 "dummy" printcap created by CUPS, as specified in your CUPS
5493 On System V systems that use \fBlpstat\fR to
5494 list available printers you can use \fBprintcap name = lpstat
5495 \fRto automatically obtain lists of available printers. This
5496 is the default for systems that define SYSV at configure time in
5497 Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on
5498 these systems then Samba will launch \fBlpstat -v\fR and
5499 attempt to parse the output to obtain a printer list.
5501 A minimal printcap file would look something like this:
5514 where the '|' separates aliases of a printer. The fact
5515 that the second alias has a space in it gives a hint to Samba
5516 that it's a comment.
5518 \fBNOTE\fR: Under AIX the default printcap
5519 name is \fI/etc/qconfig\fR. Samba will assume the
5520 file is in AIX \fIqconfig\fR format if the string
5521 \fIqconfig\fR appears in the printcap filename.
5523 Default: \fBprintcap name = /etc/printcap\fR
5525 Example: \fBprintcap name = /etc/myprintcap\fR
5527 \fBprinter admin (S)\fR
5528 This is a list of users that can do anything to
5529 printers via the remote administration interfaces offered by MS-RPC
5530 (usually using a NT workstation). Note that the root user always
5533 Default: \fBprinter admin = <empty string>\fR
5535 Example: \fBprinter admin = admin, @staff\fR
5537 \fBprinter driver (S)\fR
5538 \fBNote :\fRThis is a deprecated
5539 parameter and will be removed in the next major release
5540 following version 2.2. Please see the instructions in
5541 the Samba 2.2. Printing
5542 HOWTO for more information
5543 on the new method of loading printer drivers onto a Samba server.
5545 This option allows you to control the string
5546 that clients receive when they ask the server for the printer driver
5547 associated with a printer. If you are using Windows95 or Windows NT
5548 then you can use this to automate the setup of printers on your
5551 You need to set this parameter to the exact string (case
5552 sensitive) that describes the appropriate printer driver for your
5553 system. If you don't know the exact string to use then you should
5554 first try with no \fI printer driver\fR option set and the client will
5555 give you a list of printer drivers. The appropriate strings are
5556 shown in a scroll box after you have chosen the printer manufacturer.
5561 Example: \fBprinter driver = HP LaserJet 4L\fR
5563 \fBprinter driver file (G)\fR
5564 \fBNote :\fRThis is a deprecated
5565 parameter and will be removed in the next major release
5566 following version 2.2. Please see the instructions in
5567 the Samba 2.2. Printing
5568 HOWTO for more information
5569 on the new method of loading printer drivers onto a Samba server.
5571 This parameter tells Samba where the printer driver
5572 definition file, used when serving drivers to Windows 95 clients, is
5573 to be found. If this is not set, the default is :
5575 \fISAMBA_INSTALL_DIRECTORY
5576 /lib/printers.def\fR
5578 This file is created from Windows 95 \fImsprint.inf
5579 \fRfiles found on the Windows 95 client system. For more
5580 details on setting up serving of printer drivers to Windows 95
5581 clients, see the outdated documentation file in the \fIdocs/\fR
5582 directory, \fIPRINTER_DRIVER.txt\fR.
5584 See also \fI printer driver location\fR.
5586 Default: \fBNone (set in compile).\fR
5588 Example: \fBprinter driver file =
5589 /usr/local/samba/printers/drivers.def\fR
5591 \fBprinter driver location (S)\fR
5592 \fBNote :\fRThis is a deprecated
5593 parameter and will be removed in the next major release
5594 following version 2.2. Please see the instructions in
5595 the Samba 2.2. Printing
5596 HOWTO for more information
5597 on the new method of loading printer drivers onto a Samba server.
5599 This parameter tells clients of a particular printer
5600 share where to find the printer driver files for the automatic
5601 installation of drivers for Windows 95 machines. If Samba is set up
5602 to serve printer drivers to Windows 95 machines, this should be set to
5604 \fB\\\\MACHINE\\PRINTER$\fR
5606 Where MACHINE is the NetBIOS name of your Samba server,
5607 and PRINTER$ is a share you set up for serving printer driver
5608 files. For more details on setting this up see the outdated documentation
5609 file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR.
5611 See also \fI printer driver file\fR.
5615 Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$
5617 \fBprinter name (S)\fR
5618 This parameter specifies the name of the printer
5619 to which print jobs spooled through a printable service will be sent.
5621 If specified in the [global] section, the printer
5622 name given will be used for any printable service that does
5623 not have its own printer name specified.
5625 Default: \fBnone (but may be lp
5628 Example: \fBprinter name = laserwriter\fR
5631 Synonym for \fI printer name\fR.
5634 This parameters controls how printer status
5635 information is interpreted on your system. It also affects the
5636 default values for the \fIprint command\fR,
5637 \fIlpq command\fR, \fIlppause command
5638 \fR, \fIlpresume command\fR, and
5639 \fIlprm command\fR if specified in the
5642 Currently nine printing styles are supported. They are
5649 To see what the defaults are for the other print
5650 commands when using the various options use the testparm(1) program.
5652 This option can be set on a per printer basis
5654 See also the discussion in the [printers] section.
5656 \fBprofile acls (S)\fR
5657 This boolean parameter was added to fix the problems that people have been
5658 having with storing user profiles on Samba shares from Windows 2000 or
5659 Windows XP clients. New versions of Windows 2000 or Windows XP service
5660 packs do security ACL checking on the owner and ability to write of the
5661 profile directory stored on a local workstation when copied from a Samba
5662 share. When not in domain mode with winbindd then the security info copied
5663 onto the local workstation has no meaning to the logged in user (SID) on
5664 that workstation so the profile storing fails. Adding this parameter
5665 onto a share used for profile storage changes two things about the
5666 returned Windows ACL. Firstly it changes the owner and group owner
5667 of all reported files and directories to be BUILTIN\\Administrators,
5668 BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
5669 it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
5670 every returned ACL. This will allow any Windows 2000 or XP workstation
5671 user to access the profile. Note that if you have multiple users logging
5672 on to a workstation then in order to prevent them from being able to access
5673 each others profiles you must remove the "Bypass traverse checking" advanced
5674 user right. This will prevent access to other users profile directories as
5675 the top level profile directory (named after the user) is created by the
5676 workstation profile code and has an ACL restricting entry to the directory
5677 tree to the owning user.
5679 If you didn't understand the above text, you probably should not set
5682 Default \fBprofile acls = no\fR
5685 Synonym for \fImax protocol\fR.
5688 Synonym for \fIguest
5691 \fBqueuepause command (S)\fR
5692 This parameter specifies the command to be
5693 executed on the server host in order to pause the printer queue.
5695 This command should be a program or script which takes
5696 a printer name as its only parameter and stops the printer queue,
5697 such that no longer jobs are submitted to the printer.
5699 This command is not supported by Windows for Workgroups,
5700 but can be issued from the Printers window under Windows 95
5703 If a \fI%p\fR is given then the printer name
5704 is put in its place. Otherwise it is placed at the end of the command.
5706 Note that it is good practice to include the absolute
5707 path in the command as the PATH may not be available to the
5710 Default: \fBdepends on the setting of \fIprinting
5712 Example: \fBqueuepause command = disable %p\fR
5714 \fBqueueresume command (S)\fR
5715 This parameter specifies the command to be
5716 executed on the server host in order to resume the printer queue. It
5717 is the command to undo the behavior that is caused by the
5718 previous parameter (\fI queuepause command\fR).
5720 This command should be a program or script which takes
5721 a printer name as its only parameter and resumes the printer queue,
5722 such that queued jobs are resubmitted to the printer.
5724 This command is not supported by Windows for Workgroups,
5725 but can be issued from the Printers window under Windows 95
5728 If a \fI%p\fR is given then the printer name
5729 is put in its place. Otherwise it is placed at the end of the
5732 Note that it is good practice to include the absolute
5733 path in the command as the PATH may not be available to the
5736 Default: \fBdepends on the setting of \fIprinting\fB\fR
5738 Example: \fBqueuepause command = enable %p
5741 This boolean parameter controls whether smbd(8) will support the "Read
5742 Block Multiplex" SMB. This is now rarely used and defaults to
5743 no. You should never need to set this
5746 Default: \fBread bmpx = no\fR
5749 This is a list of users that are given read-only
5750 access to a service. If the connecting user is in this list then
5751 they will not be given write access, no matter what the \fIread only\fR
5752 option is set to. The list can include group names using the
5753 syntax described in the \fI invalid users\fR parameter.
5755 See also the \fI write list\fR parameter and the \fIinvalid users\fR
5758 Default: \fBread list = <empty string>\fR
5760 Example: \fBread list = mary, @students\fR
5763 An inverted synonym is \fIwriteable\fR.
5765 If this parameter is yes, then users
5766 of a service may not create or modify files in the service's
5769 Note that a printable service (\fBprintable = yes\fR)
5770 will \fBALWAYS\fR allow writing to the directory
5771 (user privileges permitting), but only via spooling operations.
5773 Default: \fBread only = yes\fR
5776 This parameter controls whether or not the server
5777 will support the raw read SMB requests when transferring data
5780 If enabled, raw reads allow reads of 65535 bytes in
5781 one packet. This typically provides a major performance benefit.
5783 However, some clients either negotiate the allowable
5784 block size incorrectly or are incapable of supporting larger block
5785 sizes, and for these clients you may need to disable raw reads.
5787 In general this parameter should be viewed as a system tuning
5788 tool and left severely alone. See also \fIwrite raw\fR.
5790 Default: \fBread raw = yes\fR
5793 The option \fIread size\fR
5794 affects the overlap of disk reads/writes with network reads/writes.
5795 If the amount of data being transferred in several of the SMB
5796 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
5797 than this value then the server begins writing the data before it
5798 has received the whole packet from the network, or in the case of
5799 SMBreadbraw, it begins writing to the network before all the data
5800 has been read from disk.
5802 This overlapping works best when the speeds of disk and
5803 network access are similar, having very little effect when the
5804 speed of one is much greater than the other.
5806 The default value is 16384, but very little experimentation
5807 has been done yet to determine the optimal value, and it is likely
5808 that the best value will vary greatly between systems anyway.
5809 A value over 65536 is pointless and will cause you to allocate
5810 memory unnecessarily.
5812 Default: \fBread size = 16384\fR
5814 Example: \fBread size = 8192\fR
5816 \fBremote announce (G)\fR
5817 This option allows you to setup nmbd(8) to periodically announce itself
5818 to arbitrary IP addresses with an arbitrary workgroup name.
5820 This is useful if you want your Samba server to appear
5821 in a remote workgroup for which the normal browse propagation
5822 rules don't work. The remote workgroup can be anywhere that you
5823 can send IP packets to.
5827 \fBremote announce = 192.168.2.255/SERVERS
5828 192.168.4.255/STAFF\fR
5830 the above line would cause \fBnmbd\fR to announce itself
5831 to the two given IP addresses using the given workgroup names.
5832 If you leave out the workgroup name then the one given in
5834 parameter is used instead.
5836 The IP addresses you choose would normally be the broadcast
5837 addresses of the remote networks, but can also be the IP addresses
5838 of known browse masters if your network config is that stable.
5840 See the documentation file \fIBROWSING.txt\fR
5841 in the \fIdocs/\fR directory.
5843 Default: \fBremote announce = <empty string>
5845 \fBremote browse sync (G)\fR
5846 This option allows you to setup nmbd(8) to periodically request
5847 synchronization of browse lists with the master browser of a Samba
5848 server that is on a remote segment. This option will allow you to
5849 gain browse lists for multiple workgroups across routed networks. This
5850 is done in a manner that does not work with any non-Samba servers.
5852 This is useful if you want your Samba server and all local
5853 clients to appear in a remote workgroup for which the normal browse
5854 propagation rules don't work. The remote workgroup can be anywhere
5855 that you can send IP packets to.
5859 \fBremote browse sync = 192.168.2.255 192.168.4.255
5861 the above line would cause \fBnmbd\fR to request
5862 the master browser on the specified subnets or addresses to
5863 synchronize their browse lists with the local server.
5865 The IP addresses you choose would normally be the broadcast
5866 addresses of the remote networks, but can also be the IP addresses
5867 of known browse masters if your network config is that stable. If
5868 a machine IP address is given Samba makes NO attempt to validate
5869 that the remote machine is available, is listening, nor that it
5870 is in fact the browse master on its segment.
5872 Default: \fBremote browse sync = <empty string>
5874 \fBrestrict anonymous (G)\fR
5875 This is a boolean parameter. If it is yes, then
5876 anonymous access to the server will be restricted, namely in the
5877 case where the server is expecting the client to send a username,
5878 but it doesn't. Setting it to yes will force these anonymous
5879 connections to be denied, and the client will be required to always
5880 supply a username and password when connecting. Use of this parameter
5881 is only recommended for homogeneous NT client environments.
5883 This parameter makes the use of macro expansions that rely
5884 on the username (%U, %G, etc) consistent. NT 4.0
5885 likes to use anonymous connections when refreshing the share list,
5886 and this is a way to work around that.
5888 When restrict anonymous is yes, all anonymous connections
5889 are denied no matter what they are for. This can effect the ability
5890 of a machine to access the Samba Primary Domain Controller to revalidate
5891 its machine account after someone else has logged on the client
5892 interactively. The NT client will display a message saying that
5893 the machine's account in the domain doesn't exist or the password is
5894 bad. The best way to deal with this is to reboot NT client machines
5895 between interactive logons, using "Shutdown and Restart", rather
5896 than "Close all programs and logon as a different user".
5898 Default: \fBrestrict anonymous = no\fR
5901 Synonym for \fIroot directory"\fR.
5904 Synonym for \fIroot directory"\fR.
5906 \fBroot directory (G)\fR
5907 The server will \fBchroot()\fR (i.e.
5908 Change its root directory) to this directory on startup. This is
5909 not strictly necessary for secure operation. Even without it the
5910 server will deny access to files not in one of the service entries.
5911 It may also check for, and deny access to, soft links to other
5912 parts of the filesystem, or attempts to use ".." in file names
5913 to access other directories (depending on the setting of the \fIwide links\fR
5916 Adding a \fIroot directory\fR entry other
5917 than "/" adds an extra level of security, but at a price. It
5918 absolutely ensures that no access is given to files not in the
5919 sub-tree specified in the \fIroot directory\fR
5920 option, \fBincluding\fR some files needed for
5921 complete operation of the server. To maintain full operability
5922 of the server you will need to mirror some system files
5923 into the \fIroot directory\fR tree. In particular
5924 you will need to mirror \fI/etc/passwd\fR (or a
5925 subset of it), and any binaries or configuration files needed for
5926 printing (if required). The set of files that must be mirrored is
5927 operating system dependent.
5929 Default: \fBroot directory = /\fR
5931 Example: \fBroot directory = /homes/smb\fR
5933 \fBroot postexec (S)\fR
5934 This is the same as the \fIpostexec\fR
5935 parameter except that the command is run as root. This
5936 is useful for unmounting filesystems
5937 (such as CDROMs) after a connection is closed.
5939 See also \fI postexec\fR.
5941 Default: \fBroot postexec = <empty string>
5943 \fBroot preexec (S)\fR
5944 This is the same as the \fIpreexec\fR
5945 parameter except that the command is run as root. This
5946 is useful for mounting filesystems (such as CDROMs) when a
5947 connection is opened.
5949 See also \fI preexec\fR and \fIpreexec close\fR.
5951 Default: \fBroot preexec = <empty string>
5953 \fBroot preexec close (S)\fR
5954 This is the same as the \fIpreexec close
5955 \fRparameter except that the command is run as root.
5957 See also \fI preexec\fR and \fIpreexec close\fR.
5959 Default: \fBroot preexec close = no\fR
5962 This option affects how clients respond to
5963 Samba and is one of the most important settings in the \fI smb.conf\fR file.
5965 The option sets the "security mode bit" in replies to
5966 protocol negotiations with smbd(8)
5967 to turn share level security on or off. Clients decide
5968 based on this bit whether (and how) to transfer user and password
5969 information to the server.
5971 The default is \fBsecurity = user\fR, as this is
5972 the most common setting needed when talking to Windows 98 and
5975 The alternatives are \fBsecurity = share\fR,
5976 \fBsecurity = server\fR or \fBsecurity = domain
5979 In versions of Samba prior to 2.0.0, the default was
5980 \fBsecurity = share\fR mainly because that was
5981 the only option at one stage.
5983 There is a bug in WfWg that has relevance to this
5984 setting. When in user or server level security a WfWg client
5985 will totally ignore the password you type in the "connect
5986 drive" dialog box. This makes it very difficult (if not impossible)
5987 to connect to a Samba service as anyone except the user that
5988 you are logged into WfWg as.
5990 If your PCs use usernames that are the same as their
5991 usernames on the UNIX machine then you will want to use
5992 \fBsecurity = user\fR. If you mostly use usernames
5993 that don't exist on the UNIX box then use \fBsecurity =
5996 You should also use \fBsecurity = share\fR if you
5997 want to mainly setup shares without a password (guest shares). This
5998 is commonly used for a shared printer server. It is more difficult
5999 to setup guest shares with \fBsecurity = user\fR, see
6000 the \fImap to guest\fR
6001 parameter for details.
6003 It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share
6004 level security under different \fINetBIOS aliases\fR.
6006 The different settings will now be explained.
6010 When clients connect to a share level security server they
6011 need not log onto the server with a valid username and password before
6012 attempting to connect to a shared resource (although modern clients
6013 such as Windows 95/98 and Windows NT will send a logon request with
6014 a username but no password when talking to a \fBsecurity = share
6015 \fRserver). Instead, the clients send authentication information
6016 (passwords) on a per-share basis, at the time they attempt to connect
6019 Note that \fBsmbd\fR \fBALWAYS\fR
6020 uses a valid UNIX user to act on behalf of the client, even in
6021 \fBsecurity = share\fR level security.
6023 As clients are not required to send a username to the server
6024 in share level security, \fBsmbd\fR uses several
6025 techniques to determine the correct UNIX user to use on behalf
6028 A list of possible UNIX usernames to match with the given
6029 client password is constructed using the following methods :
6034 only\fR parameter is set, then all the other
6035 stages are missed and only the \fIguest account\fR username is checked.
6038 Is a username is sent with the share connection
6039 request, then this username (after mapping - see \fIusername map\fR),
6040 is added as a potential username.
6043 If the client did a previous \fBlogon
6044 \fRrequest (the SessionSetup SMB call) then the
6045 username sent in this SMB will be added as a potential username.
6048 The name of the service the client requested is
6049 added as a potential username.
6052 The NetBIOS name of the client is added to
6053 the list as a potential username.
6056 Any users on the \fI user\fR list are added as potential usernames.
6059 If the \fIguest only\fR parameter is
6060 not set, then this list is then tried with the supplied password.
6061 The first user for whom the password matches will be used as the
6065 If the \fIguest only\fR parameter is
6066 set, or no username can be determined then if the share is marked
6067 as available to the \fIguest account\fR, then this
6068 guest user will be used, otherwise access is denied.
6071 Note that it can be \fBvery\fR confusing
6072 in share-level security as to which UNIX username will eventually
6073 be used in granting access.
6076 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6082 This is the default security setting in Samba 2.2.
6083 With user-level security a client must first "log-on" with a
6084 valid username and password (which can be mapped using the \fIusername map\fR
6085 parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also
6086 be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and
6087 may change the UNIX user to use on this connection, but only after
6088 the user has been successfully authenticated.
6091 \fBNote\fR that the name of the resource being
6092 requested is \fBnot\fR sent to the server until after
6093 the server has successfully authenticated the client. This is why
6094 guest shares don't work in user level security without allowing
6095 the server to automatically map unknown users into the \fIguest account\fR.
6096 See the \fImap to guest\fR
6097 parameter for details on doing this.
6100 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6103 \fBSECURITY = SERVER
6106 In this mode Samba will try to validate the username/password
6107 by passing it to another SMB server, such as an NT box. If this
6108 fails it will revert to \fBsecurity = user\fR, but note
6109 that if encrypted passwords have been negotiated then Samba cannot
6110 revert back to checking the UNIX password file, it must have a valid
6111 \fIsmbpasswd\fR file to check users against. See the
6112 documentation file in the \fIdocs/\fR directory
6113 \fIENCRYPTION.txt\fR for details on how to set this
6117 \fBNote\fR that from the client's point of
6118 view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals
6119 with the authentication, it does not in any way affect what the
6123 \fBNote\fR that the name of the resource being
6124 requested is \fBnot\fR sent to the server until after
6125 the server has successfully authenticated the client. This is why
6126 guest shares don't work in user level security without allowing
6127 the server to automatically map unknown users into the \fIguest account\fR.
6128 See the \fImap to guest\fR
6129 parameter for details on doing this.
6132 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6135 See also the \fIpassword
6136 server\fR parameter and the \fIencrypted passwords\fR
6140 \fBSECURITY = DOMAIN
6143 This mode will only work correctly if smbpasswd(8) has been used to add this
6144 machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR
6145 parameter to be set to yes. In this
6146 mode Samba will try to validate the username/password by passing
6147 it to a Windows NT Primary or Backup Domain Controller, in exactly
6148 the same way that a Windows NT Server would do.
6151 \fBNote\fR that a valid UNIX user must still
6152 exist as well as the account on the Domain Controller to allow
6153 Samba to have a valid UNIX account to map file access to.
6156 \fBNote\fR that from the client's point
6157 of view \fBsecurity = domain\fR is the same as \fBsecurity = user
6158 \fR\&. It only affects how the server deals with the authentication,
6159 it does not in any way affect what the client sees.
6162 \fBNote\fR that the name of the resource being
6163 requested is \fBnot\fR sent to the server until after
6164 the server has successfully authenticated the client. This is why
6165 guest shares don't work in user level security without allowing
6166 the server to automatically map unknown users into the \fIguest account\fR.
6167 See the \fImap to guest\fR
6168 parameter for details on doing this.
6171 \fBBUG:\fR There is currently a bug in the
6172 implementation of \fBsecurity = domain\fR with respect
6173 to multi-byte character set usernames. The communication with a
6174 Domain Controller must be done in UNICODE and Samba currently
6175 does not widen multi-byte user names to UNICODE correctly, thus
6176 a multi-byte username will not be recognized correctly at the
6177 Domain Controller. This issue will be addressed in a future release.
6180 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
6183 See also the \fIpassword
6184 server\fR parameter and the \fIencrypted passwords\fR
6188 Default: \fBsecurity = USER\fR
6191 Example: \fBsecurity = DOMAIN\fR
6194 \fBsecurity mask (S)\fR
6195 This parameter controls what UNIX permission
6196 bits can be modified when a Windows NT client is manipulating
6197 the UNIX permission on a file using the native NT security
6200 This parameter is applied as a mask (AND'ed with) to
6201 the changed permission bits, thus preventing any bits not in
6202 this mask from being modified. Essentially, zero bits in this
6203 mask may be treated as a set of bits the user is not allowed
6206 If not set explicitly this parameter is 0777, allowing
6207 a user to modify all the user/group/world permissions on a file.
6209 \fBNote\fR that users who can access the
6210 Samba server through other means can easily bypass this
6211 restriction, so it is primarily useful for standalone
6212 "appliance" systems. Administrators of most normal systems will
6213 probably want to leave it set to 0777.
6215 See also the \fIforce directory security mode\fR,
6217 security mask\fR, \fIforce security mode\fR parameters.
6219 Default: \fBsecurity mask = 0777\fR
6221 Example: \fBsecurity mask = 0770\fR
6223 \fBserver string (G)\fR
6224 This controls what string will show up in the
6225 printer comment box in print manager and next to the IPC connection
6226 in \fBnet view\fR. It can be any string that you wish
6227 to show to your users.
6229 It also sets what will appear in browse lists next
6230 to the machine name.
6232 A \fI%v\fR will be replaced with the Samba
6235 A \fI%h\fR will be replaced with the
6238 Default: \fBserver string = Samba %v\fR
6240 Example: \fBserver string = University of GNUs Samba
6243 \fBset directory (S)\fR
6244 If \fBset directory = no\fR, then
6245 users of the service may not use the setdir command to change
6248 The \fBsetdir\fR command is only implemented
6249 in the Digital Pathworks client. See the Pathworks documentation
6252 Default: \fBset directory = no\fR
6254 \fBshare modes (S)\fR
6255 This enables or disables the honoring of
6256 the \fIshare modes\fR during a file open. These
6257 modes are used by clients to gain exclusive read or write access
6260 These open modes are not directly supported by UNIX, so
6261 they are simulated using shared memory, or lock files if your
6262 UNIX doesn't support shared memory (almost all do).
6264 The share modes that are enabled by this option are
6266 DENY_READ, DENY_WRITE,
6267 DENY_NONE and DENY_FCB.
6269 This option gives full share compatibility and enabled
6272 You should \fBNEVER\fR turn this parameter
6273 off as many Windows applications will break if you do so.
6275 Default: \fBshare modes = yes\fR
6277 \fBshort preserve case (S)\fR
6278 This boolean parameter controls if new files
6279 which conform to 8.3 syntax, that is all in upper case and of
6280 suitable length, are created upper case, or if they are forced
6281 to be the \fIdefault case
6282 \fR\&. This option can be use with \fBpreserve case = yes\fR
6283 to permit long filenames to retain their case, while short
6286 See the section on NAME MANGLING.
6288 Default: \fBshort preserve case = yes\fR
6290 \fBshow add printer wizard (G)\fR
6291 With the introduction of MS-RPC based printing support
6292 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
6293 appear on Samba hosts in the share listing. Normally this folder will
6294 contain an icon for the MS Add Printer Wizard (APW). However, it is
6295 possible to disable this feature regardless of the level of privilege
6296 of the connected user.
6298 Under normal circumstances, the Windows NT/2000 client will
6299 open a handle on the printer server with OpenPrinterEx() asking for
6300 Administrator privileges. If the user does not have administrative
6301 access on the print server (i.e is not root or a member of the
6302 \fIprinter admin\fR group), the OpenPrinterEx()
6303 call fails and the client makes another open call with a request for
6304 a lower privilege level. This should succeed, however the APW
6305 icon will not be displayed.
6307 Disabling the \fIshow add printer wizard\fR
6308 parameter will always cause the OpenPrinterEx() on the server
6309 to fail. Thus the APW icon will never be displayed. \fB Note :\fRThis does not prevent the same user from having
6310 administrative privilege on an individual printer.
6312 See also \fIaddprinter
6313 command\fR, \fIdeleteprinter command\fR, \fIprinter admin\fR
6315 Default :\fBshow add printer wizard = yes\fR
6317 \fBsmb passwd file (G)\fR
6318 This option sets the path to the encrypted
6319 smbpasswd file. By default the path to the smbpasswd file
6320 is compiled into Samba.
6322 Default: \fBsmb passwd file = ${prefix}/private/smbpasswd
6324 Example: \fBsmb passwd file = /etc/samba/smbpasswd
6326 \fBsocket address (G)\fR
6327 This option allows you to control what
6328 address Samba will listen for connections on. This is used to
6329 support multiple virtual interfaces on the one server, each
6330 with a different configuration.
6332 By default Samba will accept connections on any
6335 Example: \fBsocket address = 192.168.2.20\fR
6337 \fBsocket options (G)\fR
6338 This option allows you to set socket options
6339 to be used when talking with the client.
6341 Socket options are controls on the networking layer
6342 of the operating systems which allow the connection to be
6345 This option will typically be used to tune your Samba
6346 server for optimal performance for your local network. There is
6347 no way that Samba can know what the optimal parameters are for
6348 your net, so you must experiment and choose them yourself. We
6349 strongly suggest you read the appropriate documentation for your
6350 operating system first (perhaps \fBman setsockopt\fR
6353 You may find that on some systems Samba will say
6354 "Unknown socket option" when you supply an option. This means you
6355 either incorrectly typed it or you need to add an include file
6356 to includes.h for your OS. If the latter is the case please
6357 send the patch to samba@samba.org <URL:mailto:samba@samba.org>.
6359 Any of the supported socket options may be combined
6360 in any way you like, as long as your OS allows it.
6362 This is the list of socket options currently settable
6397 Those marked with a \fB'*'\fR take an integer
6398 argument. The others can optionally take a 1 or 0 argument to enable
6399 or disable the option, by default they will be enabled if you
6400 don't specify 1 or 0.
6403 To specify an argument use the syntax SOME_OPTION = VALUE
6404 for example \fBSO_SNDBUF = 8192\fR. Note that you must
6405 not have any spaces before or after the = sign.
6408 If you are on a local network then a sensible option
6412 \fBsocket options = IPTOS_LOWDELAY\fR
6415 If you have a local network then you could try:
6418 \fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
6421 If you are on a wide area network then perhaps try
6422 setting IPTOS_THROUGHPUT.
6425 Note that several of the options may cause your Samba
6426 server to fail completely. Use these options with caution!
6429 Default: \fBsocket options = TCP_NODELAY\fR
6432 Example: \fBsocket options = IPTOS_LOWDELAY\fR
6435 \fBsource environment (G)\fR
6436 This parameter causes Samba to set environment
6437 variables as per the content of the file named.
6439 If the value of this parameter starts with a "|" character
6440 then Samba will treat that value as a pipe command to open and
6441 will set the environment variables from the output of the pipe.
6443 The contents of the file or the output of the pipe should
6444 be formatted as the output of the standard Unix \fBenv(1)
6445 \fRcommand. This is of the form :
6447 Example environment entry:
6449 \fBSAMBA_NETBIOS_NAME = myhostname\fR
6451 Default: \fBNo default value\fR
6453 Examples: \fBsource environment = |/etc/smb.conf.sh
6455 Example: \fBsource environment =
6456 /usr/local/smb_env_vars\fR
6459 This variable is part of SSL-enabled Samba. This
6460 is only available if the SSL libraries have been compiled on your
6461 system and the configure option \fB--with-ssl\fR was
6462 given at configure time.
6464 This variable enables or disables the entire SSL mode. If
6465 it is set to no, the SSL-enabled Samba behaves
6466 exactly like the non-SSL Samba. If set to yes,
6467 it depends on the variables \fI ssl hosts\fR and \fIssl hosts resign\fR whether an SSL
6468 connection will be required.
6470 Default: \fBssl = no\fR
6472 \fBssl CA certDir (G)\fR
6473 This variable is part of SSL-enabled Samba. This
6474 is only available if the SSL libraries have been compiled on your
6475 system and the configure option \fB--with-ssl\fR was
6476 given at configure time.
6478 This variable defines where to look up the Certification
6479 Authorities. The given directory should contain one file for
6480 each CA that Samba will trust. The file name must be the hash
6481 value over the "Distinguished Name" of the CA. How this directory
6482 is set up is explained later in this document. All files within the
6483 directory that don't fit into this naming scheme are ignored. You
6484 don't need this variable if you don't verify client certificates.
6486 Default: \fBssl CA certDir = /usr/local/ssl/certs
6488 \fBssl CA certFile (G)\fR
6489 This variable is part of SSL-enabled Samba. This
6490 is only available if the SSL libraries have been compiled on your
6491 system and the configure option \fB--with-ssl\fR was
6492 given at configure time.
6494 This variable is a second way to define the trusted CAs.
6495 The certificates of the trusted CAs are collected in one big
6496 file and this variable points to the file. You will probably
6497 only use one of the two ways to define your CAs. The first choice is
6498 preferable if you have many CAs or want to be flexible, the second
6499 is preferable if you only have one CA and want to keep things
6500 simple (you won't need to create the hashed file names). You
6501 don't need this variable if you don't verify client certificates.
6503 Default: \fBssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
6505 \fBssl ciphers (G)\fR
6506 This variable is part of SSL-enabled Samba. This
6507 is only available if the SSL libraries have been compiled on your
6508 system and the configure option \fB--with-ssl\fR was
6509 given at configure time.
6511 This variable defines the ciphers that should be offered
6512 during SSL negotiation. You should not set this variable unless
6513 you know what you are doing.
6515 \fBssl client cert (G)\fR
6516 This variable is part of SSL-enabled Samba. This
6517 is only available if the SSL libraries have been compiled on your
6518 system and the configure option \fB--with-ssl\fR was
6519 given at configure time.
6521 The certificate in this file is used by \fBsmbclient(1)\fR if it exists. It's needed
6522 if the server requires a client certificate.
6524 Default: \fBssl client cert = /usr/local/ssl/certs/smbclient.pem
6526 \fBssl client key (G)\fR
6527 This variable is part of SSL-enabled Samba. This
6528 is only available if the SSL libraries have been compiled on your
6529 system and the configure option \fB--with-ssl\fR was
6530 given at configure time.
6532 This is the private key for \fBsmbclient(1)\fR It's only needed if the
6533 client should have a certificate.
6535 Default: \fBssl client key = /usr/local/ssl/private/smbclient.pem
6537 \fBssl compatibility (G)\fR
6538 This variable is part of SSL-enabled Samba. This
6539 is only available if the SSL libraries have been compiled on your
6540 system and the configure option \fB--with-ssl\fR was
6541 given at configure time.
6543 This variable defines whether OpenSSL should be configured
6544 for bug compatibility with other SSL implementations. This is
6545 probably not desirable because currently no clients with SSL
6546 implementations other than OpenSSL exist.
6548 Default: \fBssl compatibility = no\fR
6550 \fBssl egd socket (G)\fR
6551 This variable is part of SSL-enabled Samba. This
6552 is only available if the SSL libraries have been compiled on your
6553 system and the configure option \fB--with-ssl\fR was
6554 given at configure time.
6556 This option is used to define the location of the communiation socket of
6557 an EGD or PRNGD daemon, from which entropy can be retrieved. This option
6558 can be used instead of or together with the \fIssl entropy file\fR
6559 directive. 255 bytes of entropy will be retrieved from the daemon.
6563 \fBssl entropy bytes (G)\fR
6564 This variable is part of SSL-enabled Samba. This
6565 is only available if the SSL libraries have been compiled on your
6566 system and the configure option \fB--with-ssl\fR was
6567 given at configure time.
6569 This parameter is used to define the number of bytes which should
6570 be read from the \fIssl entropy
6571 file\fR If a -1 is specified, the entire file will
6574 Default: \fBssl entropy bytes = 255\fR
6576 \fBssl entropy file (G)\fR
6577 This variable is part of SSL-enabled Samba. This
6578 is only available if the SSL libraries have been compiled on your
6579 system and the configure option \fB--with-ssl\fR was
6580 given at configure time.
6582 This parameter is used to specify a file from which processes will
6583 read "random bytes" on startup. In order to seed the internal pseudo
6584 random number generator, entropy must be provided. On system with a
6585 \fI/dev/urandom\fR device file, the processes
6586 will retrieve its entropy from the kernel. On systems without kernel
6587 entropy support, a file can be supplied that will be read on startup
6588 and that will be used to seed the PRNG.
6593 See \fI ssl hosts resign\fR.
6595 \fBssl hosts resign (G)\fR
6596 This variable is part of SSL-enabled Samba. This
6597 is only available if the SSL libraries have been compiled on your
6598 system and the configure option \fB--with-ssl\fR was
6599 given at configure time.
6601 These two variables define whether Samba will go
6602 into SSL mode or not. If none of them is defined, Samba will
6603 allow only SSL connections. If the \fIssl hosts\fR variable lists
6604 hosts (by IP-address, IP-address range, net group or name),
6605 only these hosts will be forced into SSL mode. If the \fI ssl hosts resign\fR variable lists hosts, only these
6606 hosts will \fBNOT\fR be forced into SSL mode. The syntax for these two
6607 variables is the same as for the \fI hosts allow\fR and \fIhosts deny\fR pair of variables, only
6608 that the subject of the decision is different: It's not the access
6609 right but whether SSL is used or not.
6611 The example below requires SSL connections from all hosts
6612 outside the local net (which is 192.168.*.*).
6614 Default: \fBssl hosts = <empty string>\fR
6616 \fBssl hosts resign = <empty string>\fR
6618 Example: \fBssl hosts resign = 192.168.\fR
6620 \fBssl require clientcert (G)\fR
6621 This variable is part of SSL-enabled Samba. This
6622 is only available if the SSL libraries have been compiled on your
6623 system and the configure option \fB--with-ssl\fR was
6624 given at configure time.
6626 If this variable is set to yes, the
6627 server will not tolerate connections from clients that don't
6628 have a valid certificate. The directory/file given in \fIssl CA certDir\fR
6629 and \fIssl CA certFile
6630 \fRwill be used to look up the CAs that issued
6631 the client's certificate. If the certificate can't be verified
6632 positively, the connection will be terminated. If this variable
6633 is set to no, clients don't need certificates.
6634 Contrary to web applications you really \fBshould\fR
6635 require client certificates. In the web environment the client's
6636 data is sensitive (credit card numbers) and the server must prove
6637 to be trustworthy. In a file server environment the server's data
6638 will be sensitive and the clients must prove to be trustworthy.
6640 Default: \fBssl require clientcert = no\fR
6642 \fBssl require servercert (G)\fR
6643 This variable is part of SSL-enabled Samba. This
6644 is only available if the SSL libraries have been compiled on your
6645 system and the configure option \fB--with-ssl\fR was
6646 given at configure time.
6648 If this variable is set to yes, the
6650 will request a certificate from the server. Same as
6652 clientcert\fR for the server.
6654 Default: \fBssl require servercert = no\fR
6656 \fBssl server cert (G)\fR
6657 This variable is part of SSL-enabled Samba. This
6658 is only available if the SSL libraries have been compiled on your
6659 system and the configure option \fB--with-ssl\fR was
6660 given at configure time.
6662 This is the file containing the server's certificate.
6663 The server \fBmust\fR have a certificate. The
6664 file may also contain the server's private key. See later for
6665 how certificates and private keys are created.
6667 Default: \fBssl server cert = <empty string>
6669 \fBssl server key (G)\fR
6670 This variable is part of SSL-enabled Samba. This
6671 is only available if the SSL libraries have been compiled on your
6672 system and the configure option \fB--with-ssl\fR was
6673 given at configure time.
6675 This file contains the private key of the server. If
6676 this variable is not defined, the key is looked up in the
6677 certificate file (it may be appended to the certificate).
6678 The server \fBmust\fR have a private key
6679 and the certificate \fBmust\fR
6680 match this private key.
6682 Default: \fBssl server key = <empty string>
6684 \fBssl version (G)\fR
6685 This variable is part of SSL-enabled Samba. This
6686 is only available if the SSL libraries have been compiled on your
6687 system and the configure option \fB--with-ssl\fR was
6688 given at configure time.
6690 This enumeration variable defines the versions of the
6691 SSL protocol that will be used. ssl2or3 allows
6692 dynamic negotiation of SSL v2 or v3, ssl2 results
6693 in SSL v2, ssl3 results in SSL v3 and
6694 tls1 results in TLS v1. TLS (Transport Layer
6695 Security) is the new standard for SSL.
6697 Default: \fBssl version = "ssl2or3"\fR
6699 \fBstat cache (G)\fR
6700 This parameter determines if smbd(8) will use a cache in order to
6701 speed up case insensitive name mappings. You should never need
6702 to change this parameter.
6704 Default: \fBstat cache = yes\fR
6706 \fBstat cache size (G)\fR
6707 This parameter determines the number of
6708 entries in the \fIstat cache\fR. You should
6709 never need to change this parameter.
6711 Default: \fBstat cache size = 50\fR
6714 This enables or disables logging of connections
6715 to a status file that smbstatus(1)
6718 With this disabled \fBsmbstatus\fR won't be able
6719 to tell you what connections are active. You should never need to
6720 change this parameter.
6722 Default: \fBstatus = yes\fR
6724 \fBstrict allocate (S)\fR
6725 This is a boolean that controls the handling of
6726 disk space allocation in the server. When this is set to yes
6727 the server will change from UNIX behaviour of not committing real
6728 disk storage blocks when a file is extended to the Windows behaviour
6729 of actually forcing the disk system to allocate real storage blocks
6730 when a file is created or extended to be a given size. In UNIX
6731 terminology this means that Samba will stop creating sparse files.
6732 This can be slow on some systems.
6734 When strict allocate is no the server does sparse
6735 disk block allocation when a file is extended.
6737 Setting this to yes can help Samba return
6738 out of quota messages on systems that are restricting the disk quota
6741 Default: \fBstrict allocate = no\fR
6743 \fBstrict locking (S)\fR
6744 This is a boolean that controls the handling of
6745 file locking in the server. When this is set to yes
6746 the server will check every read and write access for file locks, and
6747 deny access if locks exist. This can be slow on some systems.
6749 When strict locking is no the server does file
6750 lock checks only when the client explicitly asks for them.
6752 Well-behaved clients always ask for lock checks when it
6753 is important, so in the vast majority of cases \fBstrict
6754 locking = no\fR is preferable.
6756 Default: \fBstrict locking = no\fR
6758 \fBstrict sync (S)\fR
6759 Many Windows applications (including the Windows
6760 98 explorer shell) seem to confuse flushing buffer contents to
6761 disk with doing a sync to disk. Under UNIX, a sync call forces
6762 the process to be suspended until the kernel has ensured that
6763 all outstanding data in kernel disk buffers has been safely stored
6764 onto stable storage. This is very slow and should only be done
6765 rarely. Setting this parameter to no (the
6766 default) means that smbd ignores the Windows applications requests for
6767 a sync call. There is only a possibility of losing data if the
6768 operating system itself that Samba is running on crashes, so there is
6769 little danger in this default setting. In addition, this fixes many
6770 performance problems that people have reported with the new Windows98
6771 explorer shell file copies.
6773 See also the \fIsync
6774 always>\fR parameter.
6776 Default: \fBstrict sync = no\fR
6779 This parameter is now unused in Samba (2.2.5 and above).
6780 It used strip trailing dots off UNIX filenames but was not correctly implmented.
6781 In Samba 2.2.5 and above UNIX filenames ending in a dot are invalid Windows long
6782 filenames (as they are in Windows NT and above) and are mangled to 8.3 before
6783 being returned to a client.
6785 Default: \fBstrip dot = no\fR
6787 \fBsync always (S)\fR
6788 This is a boolean parameter that controls
6789 whether writes will always be written to stable storage before
6790 the write call returns. If this is no then the server will be
6791 guided by the client's request in each write call (clients can
6792 set a bit indicating that a particular write should be synchronous).
6793 If this is yes then every write will be followed by a \fBfsync()
6794 \fRcall to ensure the data is written to disk. Note that
6795 the \fIstrict sync\fR parameter must be set to
6796 yes in order for this parameter to have
6799 See also the \fIstrict
6802 Default: \fBsync always = no\fR
6805 This parameter maps how Samba debug messages
6806 are logged onto the system syslog logging levels. Samba debug
6807 level zero maps onto syslog LOG_ERR, debug
6808 level one maps onto LOG_WARNING, debug level
6809 two maps onto LOG_NOTICE, debug level three
6810 maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.
6812 This parameter sets the threshold for sending messages
6813 to syslog. Only messages with debug level less than this value
6814 will be sent to syslog.
6816 Default: \fBsyslog = 1\fR
6818 \fBsyslog only (G)\fR
6819 If this parameter is set then Samba debug
6820 messages are logged into the system syslog only, and not to
6821 the debug log files.
6823 Default: \fBsyslog only = no\fR
6825 \fBtemplate homedir (G)\fR
6826 When filling out the user information for a Windows NT
6827 user, the winbindd(8) daemon
6828 uses this parameter to fill in the home directory for that user.
6829 If the string \fI%D\fR is present it is substituted
6830 with the user's Windows NT domain name. If the string \fI%U
6831 \fRis present it is substituted with the user's Windows
6834 Default: \fBtemplate homedir = /home/%D/%U\fR
6836 \fBtemplate shell (G)\fR
6837 When filling out the user information for a Windows NT
6838 user, the winbindd(8) daemon
6839 uses this parameter to fill in the login shell for that user.
6841 Default: \fBtemplate shell = /bin/false\fR
6843 \fBtime offset (G)\fR
6844 This parameter is a setting in minutes to add
6845 to the normal GMT to local time conversion. This is useful if
6846 you are serving a lot of PCs that have incorrect daylight
6847 saving time handling.
6849 Default: \fBtime offset = 0\fR
6851 Example: \fBtime offset = 60\fR
6853 \fBtime server (G)\fR
6854 This parameter determines if
6855 nmbd(8) advertises itself as a time server to Windows
6858 Default: \fBtime server = no\fR
6860 \fBtimestamp logs (G)\fR
6861 Synonym for \fI debug timestamp\fR.
6863 \fBtotal print jobs (G)\fR
6864 This parameter accepts an integer value which defines
6865 a limit on the maximum number of print jobs that will be accepted
6866 system wide at any given time. If a print job is submitted
6867 by a client which will exceed this number, then smbd will return an
6868 error indicating that no space is available on the server. The
6869 default value of 0 means that no such limit exists. This parameter
6870 can be used to prevent a server from exceeding its capacity and is
6871 designed as a printing throttle. See also
6872 \fImax print jobs\fR.
6874 Default: \fBtotal print jobs = 0\fR
6876 Example: \fBtotal print jobs = 5000\fR
6878 \fBunix extensions(G)\fR
6879 This boolean parameter controls whether Samba
6880 implments the CIFS UNIX extensions, as defined by HP.
6881 These extensions enable Samba to better serve UNIX CIFS clients
6882 by supporting features such as symbolic links, hard links, etc...
6883 These extensions require a similarly enabled client, and are of
6884 no current use to Windows clients.
6886 Default: \fBunix extensions = no\fR
6888 \fBunix password sync (G)\fR
6889 This boolean parameter controls whether Samba
6890 attempts to synchronize the UNIX password with the SMB password
6891 when the encrypted SMB password in the smbpasswd file is changed.
6892 If this is set to yes the program specified in the \fIpasswd
6893 program\fRparameter is called \fBAS ROOT\fR -
6894 to allow the new UNIX password to be set without access to the
6895 old UNIX password (as the SMB password change code has no
6896 access to the old password cleartext, only the new).
6899 program\fR, \fI passwd chat\fR.
6901 Default: \fBunix password sync = no\fR
6903 \fBupdate encrypted (G)\fR
6904 This boolean parameter allows a user logging
6905 on with a plaintext password to have their encrypted (hashed)
6906 password in the smbpasswd file to be updated automatically as
6907 they log on. This option allows a site to migrate from plaintext
6908 password authentication (users authenticate with plaintext
6909 password over the wire, and are checked against a UNIX account
6910 database) to encrypted password authentication (the SMB
6911 challenge/response authentication mechanism) without forcing
6912 all users to re-enter their passwords via smbpasswd at the time the
6913 change is made. This is a convenience option to allow the change over
6914 to encrypted passwords to be made over a longer period. Once all users
6915 have encrypted representations of their passwords in the smbpasswd
6916 file this parameter should be set to no.
6918 In order for this parameter to work correctly the \fIencrypt passwords\fR
6919 parameter must be set to no when
6920 this parameter is set to yes.
6922 Note that even when this parameter is set a user
6923 authenticating to \fBsmbd\fR must still enter a valid
6924 password in order to connect correctly, and to update their hashed
6925 (smbpasswd) passwords.
6927 Default: \fBupdate encrypted = no\fR
6929 \fBuse client driver (S)\fR
6930 This parameter applies only to Windows NT/2000
6931 clients. It has no affect on Windows 95/98/ME clients. When
6932 serving a printer to Windows NT/2000 clients without first installing
6933 a valid printer driver on the Samba host, the client will be required
6934 to install a local printer driver. From this point on, the client
6935 will treat the print as a local printer and not a network printer
6936 connection. This is much the same behavior that will occur
6937 when \fBdisable spoolss = yes\fR.
6940 factor is that under normal circumstances, the NT/2000 client will
6941 attempt to open the network printer using MS-RPC. The problem is that
6942 because the client considers the printer to be local, it will attempt
6943 to issue the OpenPrinterEx() call requesting access rights associated
6944 with the logged on user. If the user possesses local administator rights
6945 but not root privilegde on the Samba host (often the case), the OpenPrinterEx()
6946 call will fail. The result is that the client will now display an "Access
6947 Denied; Unable to connect" message in the printer queue window (even though
6948 jobs may successfully be printed).
6950 If this parameter is enabled for a printer, then any attempt
6951 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
6952 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
6953 call to succeed. \fBThis parameter MUST not be able enabled
6954 on a print share which has valid print driver installed on the Samba
6957 See also disable spoolss
6959 Default: \fBuse client driver = no\fR
6962 This global parameter determines if the tdb internals of Samba can
6963 depend on mmap working correctly on the running system. Samba requires a coherent
6964 mmap/read-write system memory cache. Currently only HPUX does not have such a
6965 coherent cache, and so this parameter is set to no by
6966 default on HPUX. On all other systems this parameter should be left alone. This
6967 parameter is provided to help the Samba developers track down problems with
6968 the tdb internal code.
6970 Default: \fBuse mmap = yes\fR
6972 \fBuse rhosts (G)\fR
6973 If this global parameter is yes, it specifies
6974 that the UNIX user's \fI.rhosts\fR file in their home directory
6975 will be read to find the names of hosts and users who will be allowed
6976 access without specifying a password.
6978 \fBNOTE:\fR The use of \fIuse rhosts
6979 \fRcan be a major security hole. This is because you are
6980 trusting the PC to supply the correct username. It is very easy to
6981 get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what
6984 Default: \fBuse rhosts = no\fR
6987 Synonym for \fI username\fR.
6990 Synonym for \fI username\fR.
6993 Multiple users may be specified in a comma-delimited
6994 list, in which case the supplied password will be tested against
6995 each username in turn (left to right).
6997 The \fIusername\fR line is needed only when
6998 the PC is unable to supply its own username. This is the case
6999 for the COREPLUS protocol or where your users have different WfWg
7000 usernames to UNIX usernames. In both these cases you may also be
7001 better using the \\\\server\\share%user syntax instead.
7003 The \fIusername\fR line is not a great
7004 solution in many cases as it means Samba will try to validate
7005 the supplied password against each of the usernames in the
7006 \fIusername\fR line in turn. This is slow and
7007 a bad idea for lots of users in case of duplicate passwords.
7008 You may get timeouts or security breaches using this parameter
7011 Samba relies on the underlying UNIX security. This
7012 parameter does not restrict who can login, it just offers hints
7013 to the Samba server as to what usernames might correspond to the
7014 supplied password. Users can login as whoever they please and
7015 they will be able to do no more damage than if they started a
7016 telnet session. The daemon runs as the user that they log in as,
7017 so they cannot do anything that user cannot do.
7019 To restrict a service to a particular set of users you
7020 can use the \fIvalid users
7023 If any of the usernames begin with a '@' then the name
7024 will be looked up first in the NIS netgroups list (if Samba
7025 is compiled with netgroup support), followed by a lookup in
7026 the UNIX groups database and will expand to a list of all users
7027 in the group of that name.
7029 If any of the usernames begin with a '+' then the name
7030 will be looked up only in the UNIX groups database and will
7031 expand to a list of all users in the group of that name.
7033 If any of the usernames begin with a '&'then the name
7034 will be looked up only in the NIS netgroups database (if Samba
7035 is compiled with netgroup support) and will expand to a list
7036 of all users in the netgroup group of that name.
7038 Note that searching though a groups database can take
7039 quite some time, and some clients may time out during the
7042 See the section NOTE ABOUT
7043 USERNAME/PASSWORD VALIDATION for more information on how
7044 this parameter determines access to the services.
7046 Default: \fBThe guest account if a guest service,
7047 else <empty string>.\fR
7049 Examples:\fBusername = fred, mary, jack, jane,
7052 \fBusername level (G)\fR
7053 This option helps Samba to try and 'guess' at
7054 the real UNIX username, as many DOS clients send an all-uppercase
7055 username. By default Samba tries all lowercase, followed by the
7056 username with the first letter capitalized, and fails if the
7057 username is not found on the UNIX machine.
7059 If this parameter is set to non-zero the behavior changes.
7060 This parameter is a number that specifies the number of uppercase
7061 combinations to try while trying to determine the UNIX user name. The
7062 higher the number the more combinations will be tried, but the slower
7063 the discovery of usernames will be. Use this parameter when you have
7064 strange usernames on your UNIX machine, such as AstrangeUser
7067 Default: \fBusername level = 0\fR
7069 Example: \fBusername level = 5\fR
7071 \fBusername map (G)\fR
7072 This option allows you to specify a file containing
7073 a mapping of usernames from the clients to the server. This can be
7074 used for several purposes. The most common is to map usernames
7075 that users use on DOS or Windows machines to those that the UNIX
7076 box uses. The other is to map multiple users to a single username
7077 so that they can more easily share files.
7079 The map file is parsed line by line. Each line should
7080 contain a single UNIX username on the left then a '=' followed
7081 by a list of usernames on the right. The list of usernames on the
7082 right may contain names of the form @group in which case they
7083 will match any UNIX username in that group. The special client
7084 name '*' is a wildcard and matches any name. Each line of the
7085 map file may be up to 1023 characters long.
7087 The file is processed on each line by taking the
7088 supplied username and comparing it with each username on the right
7089 hand side of the '=' signs. If the supplied name matches any of
7090 the names on the right hand side then it is replaced with the name
7091 on the left. Processing then continues with the next line.
7093 If any line begins with a '#' or a ';' then it is
7096 If any line begins with an '!' then the processing
7097 will stop after that line if a mapping was done by the line.
7098 Otherwise mapping continues with every line being processed.
7099 Using '!' is most useful when you have a wildcard mapping line
7102 For example to map from the name admin
7103 or administrator to the UNIX name root you would use:
7105 \fBroot = admin administrator\fR
7107 Or to map anyone in the UNIX group system
7108 to the UNIX name sys you would use:
7112 You can have as many mappings as you like in a username
7115 If your system supports the NIS NETGROUP option then
7116 the netgroup database is checked before the \fI/etc/group
7117 \fRdatabase for matching groups.
7119 You can map Windows usernames that have spaces in them
7120 by using double quotes around the name. For example:
7122 \fBtridge = "Andrew Tridgell"\fR
7124 would map the windows username "Andrew Tridgell" to the
7125 unix username "tridge".
7127 The following example would map mary and fred to the
7128 unix user sys, and map the rest to guest. Note the use of the
7129 \&'!' to tell Samba to stop processing if it gets a match on
7140 Note that the remapping is applied to all occurrences
7141 of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you
7142 will actually be connecting to \\\\server\\mary and will need to
7143 supply a password suitable for mary not
7144 fred. The only exception to this is the
7145 username passed to the \fI password server\fR (if you have one). The password
7146 server will receive whatever username the client supplies without
7149 Also note that no reverse mapping is done. The main effect
7150 this has is with printing. Users who have been mapped may have
7151 trouble deleting print jobs as PrintManager under WfWg will think
7152 they don't own the print job.
7154 Default: \fBno username map\fR
7156 Example: \fBusername map = /usr/local/samba/lib/users.map
7158 \fBuse sendfile (S)\fR
7159 If this parameter is yes, and Samba
7160 was built with the --with-sendfile-support option, and the underlying operating
7161 system supports sendfile system call, then some SMB read calls (mainly ReadAndX
7162 and ReadRaw) will use the more efficient sendfile system call for files that
7163 are exclusively oplocked. This may make more efficient use of the system CPU's
7164 and cause Samba to be faster. This is off by default as it's effects are unknown
7167 Default: \fBuse sendfile = no\fR
7170 This boolean parameter is only available if
7171 Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to yes then Samba will attempt
7172 to add utmp or utmpx records (depending on the UNIX system) whenever a
7173 connection is made to a Samba server. Sites may use this to record the
7174 user connecting to a Samba share.
7176 See also the \fI utmp directory\fR parameter.
7178 Default: \fButmp = no\fR
7180 \fButmp directory(G)\fR
7181 This parameter is only available if Samba has
7182 been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
7183 used to store the utmp or utmpx files (depending on the UNIX system) that
7184 record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is
7185 not set, meaning the system will use whatever utmp file the
7186 native system is set to use (usually
7187 \fI/var/run/utmp\fR on Linux).
7189 Default: \fBno utmp directory\fR
7191 \fBvalid chars (G)\fR
7192 The option allows you to specify additional
7193 characters that should be considered valid by the server in
7194 filenames. This is particularly useful for national character
7195 sets, such as adding u-umlaut or a-ring.
7197 The option takes a list of characters in either integer
7198 or character form with spaces between them. If you give two
7199 characters with a colon between them then it will be taken as
7200 an lowercase:uppercase pair.
7202 If you have an editor capable of entering the characters
7203 into the config file then it is probably easiest to use this
7204 method. Otherwise you can specify the characters in octal,
7205 decimal or hexadecimal form using the usual C notation.
7207 For example to add the single character 'Z' to the charset
7208 (which is a pointless thing to do as it's already there) you could
7209 do one of the following
7215 valid chars = 0132:0172
7220 The last two examples above actually add two characters,
7221 and alter the uppercase and lowercase mappings appropriately.
7223 Note that you \fBMUST\fR specify this parameter
7224 after the \fIclient code page\fR parameter if you
7225 have both set. If \fIclient code page\fR is set after
7226 the \fIvalid chars\fR parameter the \fIvalid
7227 chars\fR settings will be overwritten.
7229 See also the \fIclient
7230 code page\fR parameter.
7232 Default: \fBSamba defaults to using a reasonable set
7233 of valid characters for English systems\fR
7235 Example: \fBvalid chars = 0345:0305 0366:0326 0344:0304
7237 The above example allows filenames to have the Swedish
7240 \fBNOTE:\fR It is actually quite difficult to
7241 correctly produce a \fIvalid chars\fR line for
7242 a particular system. To automate the process tino@augsburg.net <URL:mailto:tino@augsburg.net> has written
7243 a package called \fBvalidchars\fR which will automatically
7244 produce a complete \fIvalid chars\fR line for
7245 a given client system. Look in the \fIexamples/validchars/
7246 \fRsubdirectory of your Samba source code distribution
7249 \fBvalid users (S)\fR
7250 This is a list of users that should be allowed
7251 to login to this service. Names starting with '@', '+' and '&'
7252 are interpreted using the same rules as described in the
7253 \fIinvalid users\fR parameter.
7255 If this is empty (the default) then any user can login.
7256 If a username is in both this list and the \fIinvalid
7257 users\fR list then access is denied for that user.
7259 The current servicename is substituted for \fI%S
7260 \fR\&. This is useful in the [homes] section.
7262 See also \fIinvalid users
7264 Default: \fBNo valid users list (anyone can login)
7266 Example: \fBvalid users = greg, @pcusers\fR
7269 This is a list of files and directories that
7270 are neither visible nor accessible. Each entry in the list must
7271 be separated by a '/', which allows spaces to be included
7272 in the entry. '*' and '?' can be used to specify multiple files
7273 or directories as in DOS wildcards.
7275 Each entry must be a unix path, not a DOS path and
7276 must \fBnot\fR include the unix directory
7279 Note that the \fIcase sensitive\fR option
7280 is applicable in vetoing files.
7282 One feature of the veto files parameter that it
7283 is important to be aware of is Samba's behaviour when
7284 trying to delete a directory. If a directory that is
7285 to be deleted contains nothing but veto files this
7286 deletion will \fBfail\fR unless you also set
7287 the \fIdelete veto files\fR parameter to
7290 Setting this parameter will affect the performance
7291 of Samba, as it will be forced to check all files and directories
7292 for a match as they are scanned.
7294 See also \fIhide files
7295 \fRand \fI case sensitive\fR.
7297 Default: \fBNo files or directories are vetoed.
7302 ; Veto any files containing the word Security,
7303 ; any ending in .tmp, and any directory containing the
7305 veto files = /*Security*/*.tmp/*root*/
7307 ; Veto the Apple specific files that a NetAtalk server
7309 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
7313 \fBveto oplock files (S)\fR
7314 This parameter is only valid when the \fIoplocks\fR
7315 parameter is turned on for a share. It allows the Samba administrator
7316 to selectively turn off the granting of oplocks on selected files that
7317 match a wildcarded list, similar to the wildcarded list used in the
7321 Default: \fBNo files are vetoed for oplock
7324 You might want to do this on files that you know will
7325 be heavily contended for by clients. A good example of this
7326 is in the NetBench SMB benchmark program, which causes heavy
7327 client contention for files ending in \fI.SEM\fR.
7328 To cause Samba not to grant oplocks on these files you would use
7329 the line (either in the [global] section or in the section for
7330 the particular NetBench share :
7332 Example: \fBveto oplock files = /*.SEM/
7334 \fBvfs object (S)\fR
7335 This parameter specifies a shared object file that
7336 is used for Samba VFS I/O operations. By default, normal
7337 disk I/O operations are used but these can be overloaded
7338 with a VFS object. The Samba VFS layer is new to Samba 2.2 and
7339 must be enabled at compile time with --with-vfs.
7341 Default : \fBno value\fR
7343 \fBvfs options (S)\fR
7344 This parameter allows parameters to be passed
7345 to the vfs layer at initialization time. The Samba VFS layer
7346 is new to Samba 2.2 and must be enabled at compile time
7347 with --with-vfs. See also \fI vfs object\fR.
7349 Default : \fBno value\fR
7352 This allows you to override the volume label
7353 returned for a share. Useful for CDROMs with installation programs
7354 that insist on a particular volume label.
7356 Default: \fBthe name of the share\fR
7358 \fBwide links (S)\fR
7359 This parameter controls whether or not links
7360 in the UNIX file system may be followed by the server. Links
7361 that point to areas within the directory tree exported by the
7362 server are always allowed; this parameter controls access only
7363 to areas that are outside the directory tree being exported.
7365 Note that setting this parameter can have a negative
7366 effect on your server performance due to the extra system calls
7367 that Samba has to do in order to perform the link checks.
7369 Default: \fBwide links = yes\fR
7371 \fBwinbind cache time (G)\fR
7372 This parameter specifies the number of seconds the
7373 winbindd(8) daemon will cache
7374 user and group information before querying a Windows NT server
7377 Default: \fBwinbind cache type = 15\fR
7379 \fBwinbind enum users (G)\fR
7380 On large installations using
7381 winbindd(8) it may be
7382 necessary to suppress the enumeration of users through the
7384 \fBgetpwent()\fR and
7385 \fBendpwent()\fR group of system calls. If
7386 the \fIwinbind enum users\fR parameter is
7387 no, calls to the \fBgetpwent\fR system call
7388 will not return any data.
7390 \fBWarning:\fR Turning off user
7391 enumeration may cause some programs to behave oddly. For
7392 example, the finger program relies on having access to the
7393 full user list when searching for matching
7396 Default: \fBwinbind enum users = yes \fR
7398 \fBwinbind enum groups (G)\fR
7399 On large installations using
7400 winbindd(8) it may be
7401 necessary to suppress the enumeration of groups through the
7403 \fBgetgrent()\fR and
7404 \fBendgrent()\fR group of system calls. If
7405 the \fIwinbind enum groups\fR parameter is
7406 no, calls to the \fBgetgrent()\fR system
7407 call will not return any data.
7409 \fBWarning:\fR Turning off group
7410 enumeration may cause some programs to behave oddly.
7412 Default: \fBwinbind enum groups = yes \fR
7414 \fBwinbind gid (G)\fR
7415 The winbind gid parameter specifies the range of group
7416 ids that are allocated by the winbindd(8) daemon. This range of group ids should have no
7417 existing local or NIS groups within it as strange conflicts can
7420 Default: \fBwinbind gid = <empty string>
7422 Example: \fBwinbind gid = 10000-20000\fR
7424 \fBwinbind separator (G)\fR
7425 This parameter allows an admin to define the character
7426 used when listing a username of the form of \fIDOMAIN
7427 \fR\\\fIuser\fR. This parameter
7428 is only applicable when using the \fIpam_winbind.so\fR
7429 and \fInss_winbind.so\fR modules for UNIX services.
7431 Please note that setting this parameter to + causes problems
7432 with group membership at least on glibc systems, as the character +
7433 is used as a special character for NIS in /etc/group.
7435 Default: \fBwinbind separator = '\\'\fR
7437 Example: \fBwinbind separator = +\fR
7439 \fBwinbind uid (G)\fR
7440 The winbind gid parameter specifies the range of group
7441 ids that are allocated by the winbindd(8) daemon. This range of ids should have no
7442 existing local or NIS users within it as strange conflicts can
7445 Default: \fBwinbind uid = <empty string>
7447 Example: \fBwinbind uid = 10000-20000\fR
7449 \fBwinbind use default domain\fR
7451 \fBwinbind use default domain\fR
7452 This parameter specifies whether the winbindd(8)
7453 daemon should operate on users without domain component in their username.
7454 Users without a domain component are treated as is part of the winbindd server's
7455 own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail
7456 function in a way much closer to the way they would in a native unix system.
7458 Default: \fBwinbind use default domain = <no>
7460 Example: \fBwinbind use default domain = yes\fR
7463 When Samba is running as a WINS server this
7464 allows you to call an external program for all changes to the
7465 WINS database. The primary use for this option is to allow the
7466 dynamic update of external name resolution databases such as
7469 The wins hook parameter specifies the name of a script
7470 or executable that will be called as follows:
7472 \fBwins_hook operation name nametype ttl IP_list
7476 The first argument is the operation and is one
7477 of "add", "delete", or "refresh". In most cases the operation can
7478 be ignored as the rest of the parameters provide sufficient
7479 information. Note that "refresh" may sometimes be called when the
7480 name has not previously been added, in that case it should be treated
7484 The second argument is the NetBIOS name. If the
7485 name is not a legal name then the wins hook is not called.
7486 Legal names contain only letters, digits, hyphens, underscores
7490 The third argument is the NetBIOS name
7491 type as a 2 digit hexadecimal number.
7494 The fourth argument is the TTL (time to live)
7495 for the name in seconds.
7498 The fifth and subsequent arguments are the IP
7499 addresses currently registered for that name. If this list is
7500 empty then the name should be deleted.
7503 An example script that calls the BIND dynamic DNS update
7504 program \fBnsupdate\fR is provided in the examples
7505 directory of the Samba source code.
7508 \fBwins proxy (G)\fR
7509 This is a boolean that controls if nmbd(8) will respond to broadcast name
7510 queries on behalf of other hosts. You may need to set this
7511 to yes for some older clients.
7513 Default: \fBwins proxy = no\fR
7515 \fBwins server (G)\fR
7516 This specifies the IP address (or DNS name: IP
7517 address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on
7518 your network then you should set this to the WINS server's IP.
7520 You should point this at your WINS server if you have a
7521 multi-subnetted network.
7523 \fBNOTE\fR. You need to set up Samba to point
7524 to a WINS server if you have multiple subnets and wish cross-subnet
7525 browsing to work correctly.
7527 See the documentation file \fIBROWSING.txt\fR
7528 in the docs/ directory of your Samba source distribution.
7530 Default: \fBnot enabled\fR
7532 Example: \fBwins server = 192.9.200.1\fR
7534 \fBwins support (G)\fR
7535 This boolean controls if the
7536 nmbd(8) process in Samba will act as a WINS server. You should
7537 not set this to yes unless you have a multi-subnetted network and
7538 you wish a particular \fBnmbd\fR to be your WINS server.
7539 Note that you should \fBNEVER\fR set this to yes
7540 on more than one machine in your network.
7542 Default: \fBwins support = no\fR
7545 This controls what workgroup your server will
7546 appear to be in when queried by clients. Note that this parameter
7547 also controls the Domain name used with the \fBsecurity = domain\fR
7550 Default: \fBset at compile time to WORKGROUP\fR
7552 Example: \fBworkgroup = MYGROUP\fR
7555 Synonym for \fI writeable\fR for people who can't spell :-).
7557 \fBwrite cache size (S)\fR
7558 If this integer parameter is set to non-zero value,
7559 Samba will create an in-memory cache for each oplocked file
7560 (it does \fBnot\fR do this for
7561 non-oplocked files). All writes that the client does not request
7562 to be flushed directly to disk will be stored in this cache if possible.
7563 The cache is flushed onto disk when a write comes in whose offset
7564 would not fit into the cache or when the file is closed by the client.
7565 Reads for the file are also served from this cache if the data is stored
7568 This cache allows Samba to batch client writes into a more
7569 efficient write size for RAID disks (i.e. writes may be tuned to
7570 be the RAID stripe size) and can improve performance on systems
7571 where the disk subsystem is a bottleneck but there is free
7572 memory for userspace programs.
7574 The integer parameter specifies the size of this cache
7575 (per oplocked file) in bytes.
7577 Default: \fBwrite cache size = 0\fR
7579 Example: \fBwrite cache size = 262144\fR
7581 for a 256k cache size per file.
7583 \fBwrite list (S)\fR
7584 This is a list of users that are given read-write
7585 access to a service. If the connecting user is in this list then
7586 they will be given write access, no matter what the \fIread only\fR
7587 option is set to. The list can include group names using the
7590 Note that if a user is in both the read list and the
7591 write list then they will be given write access.
7593 See also the \fIread list
7596 Default: \fBwrite list = <empty string>
7598 Example: \fBwrite list = admin, root, @staff
7601 Inverted synonym for \fI read only\fR.
7604 This parameter controls whether or not the server
7605 will support raw write SMB's when transferring data from clients.
7606 You should never need to change this parameter.
7608 Default: \fBwrite raw = yes\fR
7611 Inverted synonym for \fI read only\fR.
7614 Although the configuration file permits service names
7615 to contain spaces, your client software may not. Spaces will
7616 be ignored in comparisons anyway, so it shouldn't be a
7617 problem - but be aware of the possibility.
7619 On a similar note, many clients - especially DOS clients -
7620 limit service names to eight characters. smbd(8)
7621 has no such limitation, but attempts to connect from such
7622 clients will fail if they truncate the service names. For this reason
7623 you should probably keep your service names down to eight characters
7626 Use of the [homes] and [printers] special sections make life
7627 for an administrator easy, but the various combinations of default
7628 attributes can be tricky. Take extreme care when designing these
7629 sections. In particular, ensure that the permissions on spool
7630 directories are correct.
7633 This man page is correct for version 2.2 of
7648 The original Samba software and related utilities
7649 were created by Andrew Tridgell. Samba is now developed
7650 by the Samba Team as an Open Source project similar
7651 to the way the Linux kernel is developed.
7653 The original Samba man pages were written by Karl Auer.
7654 The man page sources were converted to YODL format (another
7655 excellent piece of Open Source software, available at
7656 ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
7657 release by Jeremy Allison. The conversion to DocBook for
7658 Samba 2.2 was done by Gerald Carter